Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 06:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe
-
Size
110KB
-
MD5
d594c186f9660bcf2bc3fdb127dbdf7c
-
SHA1
140ad950bc94e325fe58b99cbe3c2c1bed3e11d7
-
SHA256
e12682a3a1449409aacfa114db8609a44266c47a507ef833ad5d0397922c6fca
-
SHA512
d2daf8a0ce0b51089bbdca62a17fc85a537c1ba1be1d08f9b19e2d6b0d2f6c362b7c4fa08b8fbdbdc61a7af89f76cceedfd7e7b0095d6f8ffaa87c4097f78353
-
SSDEEP
3072:h79iUoxnqKHgG6v0Jg5fqipkw2udJupRmSB3dg1YthAPeYGa:hmx+/vgtxpRDB3diYUPeN
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 57 IoCs
resource yara_rule behavioral1/memory/1628-35-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2796-36-0x00000000002E0000-0x00000000002FC000-memory.dmp modiloader_stage2 behavioral1/memory/2456-43-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2796-51-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2796-55-0x00000000002E0000-0x00000000002FC000-memory.dmp modiloader_stage2 behavioral1/memory/2596-57-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2388-68-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2664-65-0x00000000001F0000-0x000000000020C000-memory.dmp modiloader_stage2 behavioral1/memory/2984-74-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2664-83-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2664-86-0x00000000001F0000-0x000000000020C000-memory.dmp modiloader_stage2 behavioral1/memory/2604-93-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2128-104-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/472-101-0x00000000003E0000-0x00000000003FC000-memory.dmp modiloader_stage2 behavioral1/memory/2612-100-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1244-111-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2816-112-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/2128-110-0x0000000000250000-0x000000000026C000-memory.dmp modiloader_stage2 behavioral1/memory/2816-117-0x0000000000250000-0x000000000026C000-memory.dmp modiloader_stage2 behavioral1/memory/472-116-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1368-122-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2700-123-0x0000000000260000-0x000000000027C000-memory.dmp modiloader_stage2 behavioral1/memory/2816-124-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1980-125-0x0000000000250000-0x000000000026C000-memory.dmp modiloader_stage2 behavioral1/memory/2700-127-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2700-128-0x0000000000260000-0x000000000027C000-memory.dmp modiloader_stage2 behavioral1/memory/2892-129-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1740-131-0x0000000000420000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/1980-132-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1980-133-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/1980-135-0x0000000000250000-0x000000000026C000-memory.dmp modiloader_stage2 behavioral1/memory/1104-137-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1980-136-0x0000000000250000-0x000000000026C000-memory.dmp modiloader_stage2 behavioral1/memory/1740-139-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1740-140-0x0000000000420000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/1272-141-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/844-142-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1272-143-0x00000000003D0000-0x00000000003EC000-memory.dmp modiloader_stage2 behavioral1/memory/1396-145-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2480-144-0x00000000003D0000-0x00000000003EC000-memory.dmp modiloader_stage2 behavioral1/memory/1272-148-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1272-149-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/2480-153-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1296-155-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1996-159-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/1996-158-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/2720-160-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/632-164-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1920-163-0x0000000000280000-0x000000000029C000-memory.dmp modiloader_stage2 behavioral1/memory/1792-161-0x0000000000420000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/1936-166-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/1792-167-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1764-169-0x0000000000020000-0x000000000003C000-memory.dmp modiloader_stage2 behavioral1/memory/1920-170-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral1/memory/1792-168-0x0000000000420000-0x000000000043C000-memory.dmp modiloader_stage2 behavioral1/memory/1920-172-0x0000000000280000-0x000000000029C000-memory.dmp modiloader_stage2 behavioral1/memory/1920-171-0x0000000000280000-0x000000000029C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 64 IoCs
pid Process 1628 ztchao.exe 2456 explore.exe 2796 explore.exe 2596 explore.exe 2388 explore.exe 2984 explore.exe 2664 explore.exe 2604 explore.exe 2612 explore.exe 2128 explore.exe 1244 explore.exe 472 explore.exe 1368 explore.exe 2816 explore.exe 2700 explore.exe 2892 explore.exe 1980 explore.exe 1104 explore.exe 1740 explore.exe 844 explore.exe 1396 explore.exe 1272 explore.exe 2480 explore.exe 1296 explore.exe 1996 explore.exe 2720 explore.exe 632 explore.exe 1792 explore.exe 1920 explore.exe 1936 explore.exe 1764 explore.exe 2116 explore.exe 2108 explore.exe 756 explore.exe 2924 explore.exe 2348 explore.exe 1916 explore.exe 2132 explore.exe 1512 explore.exe 1136 explore.exe 404 explore.exe 1132 explore.exe 2396 explore.exe 2392 explore.exe 2752 explore.exe 2336 explore.exe 960 explore.exe 1552 explore.exe 1544 explore.exe 1180 explore.exe 1020 explore.exe 900 explore.exe 928 explore.exe 2904 explore.exe 1276 explore.exe 2808 explore.exe 1752 explore.exe 2100 explore.exe 740 explore.exe 1348 explore.exe 1508 explore.exe 884 explore.exe 1788 explore.exe 2408 explore.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 1628 ztchao.exe 1628 ztchao.exe 1628 ztchao.exe 2456 explore.exe 2456 explore.exe 2456 explore.exe 2796 explore.exe 2796 explore.exe 2796 explore.exe 2596 explore.exe 2596 explore.exe 2596 explore.exe 2388 explore.exe 2388 explore.exe 2388 explore.exe 2984 explore.exe 2984 explore.exe 2984 explore.exe 2664 explore.exe 2664 explore.exe 2664 explore.exe 2604 explore.exe 2604 explore.exe 2604 explore.exe 2612 explore.exe 2612 explore.exe 2612 explore.exe 2128 explore.exe 2128 explore.exe 2128 explore.exe 1244 explore.exe 1244 explore.exe 1244 explore.exe 472 explore.exe 472 explore.exe 472 explore.exe 1368 explore.exe 1368 explore.exe 1368 explore.exe 2816 explore.exe 2816 explore.exe 2816 explore.exe 2700 explore.exe 2700 explore.exe 2700 explore.exe 2892 explore.exe 2892 explore.exe 2892 explore.exe 1980 explore.exe 1980 explore.exe 1980 explore.exe 1104 explore.exe 1104 explore.exe 1104 explore.exe 1740 explore.exe 1740 explore.exe 1740 explore.exe 844 explore.exe 844 explore.exe 844 explore.exe 1396 explore.exe 1396 explore.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\explore.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File opened for modification C:\Windows\SysWOW64\$$a.bat explore.exe File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\internst.exe Process not Found File created C:\Windows\SysWOW64\$$a.bat Process not Found File created C:\Windows\SysWOW64\explore.exe explore.exe File created C:\Windows\SysWOW64\explore.exe explore.exe -
resource yara_rule behavioral1/files/0x0008000000014bda-4.dat upx behavioral1/memory/1688-5-0x0000000000190000-0x00000000001AC000-memory.dmp upx behavioral1/memory/2456-26-0x0000000000020000-0x000000000003C000-memory.dmp upx behavioral1/memory/1628-35-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2596-39-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2456-43-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2456-45-0x0000000000020000-0x000000000003C000-memory.dmp upx behavioral1/memory/2796-51-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2596-57-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2596-59-0x0000000000020000-0x000000000003C000-memory.dmp upx behavioral1/memory/2388-68-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2604-71-0x0000000000020000-0x000000000003C000-memory.dmp upx behavioral1/memory/2984-74-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2664-83-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2604-93-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2128-104-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2612-100-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1244-111-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/472-116-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1368-122-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2700-123-0x0000000000260000-0x000000000027C000-memory.dmp upx behavioral1/memory/2816-124-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2700-127-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2700-128-0x0000000000260000-0x000000000027C000-memory.dmp upx behavioral1/memory/1740-130-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2892-129-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1980-132-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1104-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1740-139-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1272-141-0x0000000000020000-0x000000000003C000-memory.dmp upx behavioral1/memory/844-142-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1396-145-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2480-144-0x00000000003D0000-0x00000000003EC000-memory.dmp upx behavioral1/memory/1272-148-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1272-151-0x00000000003D0000-0x00000000003EC000-memory.dmp upx behavioral1/memory/2480-154-0x00000000003D0000-0x00000000003EC000-memory.dmp upx behavioral1/memory/2480-153-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1296-155-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1996-158-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2720-160-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/632-164-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1792-167-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1920-170-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x0009000000014b28-502.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1688 wrote to memory of 1628 1688 d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe 28 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 1628 wrote to memory of 2456 1628 ztchao.exe 29 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2456 wrote to memory of 2796 2456 explore.exe 30 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2796 wrote to memory of 2596 2796 explore.exe 31 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2596 wrote to memory of 2388 2596 explore.exe 32 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2388 wrote to memory of 2984 2388 explore.exe 33 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2984 wrote to memory of 2664 2984 explore.exe 34 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2664 wrote to memory of 2604 2664 explore.exe 35 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2604 wrote to memory of 2612 2604 explore.exe 36 PID 2612 wrote to memory of 2128 2612 explore.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d594c186f9660bcf2bc3fdb127dbdf7c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ztchao.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ztchao.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe23⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe24⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe25⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe26⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe27⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe28⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe29⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe31⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe32⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe33⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe35⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe37⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe38⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe40⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe41⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe42⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe43⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe45⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe46⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe47⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe48⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe49⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe50⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe51⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe52⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe53⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe54⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe55⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe56⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe57⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe58⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe59⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe60⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe61⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe62⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe63⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe64⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe65⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe66⤵PID:2400
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe67⤵PID:1612
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe68⤵PID:3056
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe69⤵PID:1732
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe70⤵PID:2896
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe71⤵PID:2584
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe72⤵PID:2776
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe73⤵PID:2788
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe74⤵PID:2704
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe75⤵PID:2692
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe76⤵PID:2680
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe77⤵PID:2804
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe78⤵PID:2104
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe79⤵PID:2672
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe80⤵PID:2520
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe81⤵PID:2656
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe82⤵PID:2548
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe83⤵PID:2508
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe84⤵PID:2564
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe85⤵PID:3028
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe86⤵PID:1640
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe87⤵PID:3020
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe88⤵PID:696
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe89⤵PID:1052
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe90⤵PID:988
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe91⤵PID:2844
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe92⤵PID:608
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe93⤵PID:2852
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe94⤵PID:2832
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe95⤵PID:2872
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe96⤵PID:2876
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe97⤵PID:2968
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe98⤵PID:2988
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe99⤵PID:2532
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe100⤵PID:804
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe101⤵PID:2344
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe102⤵PID:2000
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe103⤵PID:1984
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe104⤵PID:2560
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe105⤵PID:1264
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe106⤵PID:2352
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe107⤵PID:2580
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe108⤵PID:1532
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe109⤵PID:1872
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe110⤵PID:1932
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe111⤵PID:2096
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe112⤵PID:2092
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe113⤵PID:2588
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe114⤵PID:2936
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe115⤵PID:2136
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe116⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe117⤵PID:2472
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe118⤵PID:2200
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe119⤵PID:1356
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe120⤵PID:2412
-
C:\Windows\SysWOW64\explore.exeC:\Windows\system32\explore.exe121⤵
- System Location Discovery: System Language Discovery
PID:1096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-