Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 17:03
Static task
static1
Behavioral task
behavioral1
Sample
daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe
-
Size
267KB
-
MD5
daa4c6bec7172d8ac999a9fce4dabe93
-
SHA1
4f965013d1497c6767dd7fbd230b262228bf2b0b
-
SHA256
ed817bdcb48adc2f8fd16ce462bf53d634ac326f5cf2545beeaa07bcb08b239f
-
SHA512
74aa037f2f89e4aa8495b771fca2e04189c70ecf3f960e7da802ded52de645246b4877bd65907584970bc3cb7883182c3d09bf788b45d695456ed60732412e54
-
SSDEEP
6144:WV+RtpxaqIgasEnawhJpuTB2sT2wyLCx0F1cL+I5:mAaawPpBw4g9L
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Deletes itself 1 IoCs
pid Process 2980 wmisxjg.exe -
Executes dropped EXE 64 IoCs
pid Process 3044 wmisxjg.exe 2980 wmisxjg.exe 2140 wmisxjg.exe 2872 wmisxjg.exe 2528 wmisxjg.exe 2652 wmisxjg.exe 1072 wmisxjg.exe 2892 wmisxjg.exe 1152 wmisxjg.exe 2716 wmisxjg.exe 2236 wmisxjg.exe 2188 wmisxjg.exe 2248 wmisxjg.exe 1540 wmisxjg.exe 2500 wmisxjg.exe 956 wmisxjg.exe 1848 wmisxjg.exe 1608 wmisxjg.exe 2072 wmisxjg.exe 2452 wmisxjg.exe 1456 wmisxjg.exe 1444 wmisxjg.exe 772 wmisxjg.exe 1672 wmisxjg.exe 2000 wmisxjg.exe 1244 wmisxjg.exe 2988 wmisxjg.exe 2556 wmisxjg.exe 2608 wmisxjg.exe 2224 wmisxjg.exe 2104 wmisxjg.exe 1324 wmisxjg.exe 2436 wmisxjg.exe 2600 wmisxjg.exe 1792 wmisxjg.exe 2968 wmisxjg.exe 1860 wmisxjg.exe 2100 wmisxjg.exe 2876 wmisxjg.exe 1896 wmisxjg.exe 1564 wmisxjg.exe 3060 wmisxjg.exe 992 wmisxjg.exe 1488 wmisxjg.exe 1656 wmisxjg.exe 2300 wmisxjg.exe 1628 wmisxjg.exe 884 wmisxjg.exe 1552 wmisxjg.exe 1944 wmisxjg.exe 2024 wmisxjg.exe 3040 wmisxjg.exe 1920 wmisxjg.exe 1724 wmisxjg.exe 2988 wmisxjg.exe 2668 wmisxjg.exe 2584 wmisxjg.exe 1028 wmisxjg.exe 2888 wmisxjg.exe 2284 wmisxjg.exe 2708 wmisxjg.exe 824 wmisxjg.exe 2952 wmisxjg.exe 2236 wmisxjg.exe -
Loads dropped DLL 64 IoCs
pid Process 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 3044 wmisxjg.exe 2980 wmisxjg.exe 2980 wmisxjg.exe 2872 wmisxjg.exe 2872 wmisxjg.exe 2652 wmisxjg.exe 2652 wmisxjg.exe 2892 wmisxjg.exe 2892 wmisxjg.exe 2716 wmisxjg.exe 2716 wmisxjg.exe 2188 wmisxjg.exe 2188 wmisxjg.exe 1540 wmisxjg.exe 1540 wmisxjg.exe 956 wmisxjg.exe 956 wmisxjg.exe 1608 wmisxjg.exe 1608 wmisxjg.exe 2452 wmisxjg.exe 2452 wmisxjg.exe 1444 wmisxjg.exe 1444 wmisxjg.exe 1672 wmisxjg.exe 1672 wmisxjg.exe 1244 wmisxjg.exe 1244 wmisxjg.exe 2556 wmisxjg.exe 2556 wmisxjg.exe 2224 wmisxjg.exe 2224 wmisxjg.exe 1324 wmisxjg.exe 1324 wmisxjg.exe 2600 wmisxjg.exe 2600 wmisxjg.exe 2968 wmisxjg.exe 2968 wmisxjg.exe 2100 wmisxjg.exe 2100 wmisxjg.exe 1896 wmisxjg.exe 1896 wmisxjg.exe 3060 wmisxjg.exe 3060 wmisxjg.exe 1488 wmisxjg.exe 1488 wmisxjg.exe 2300 wmisxjg.exe 2300 wmisxjg.exe 884 wmisxjg.exe 884 wmisxjg.exe 1944 wmisxjg.exe 1944 wmisxjg.exe 3040 wmisxjg.exe 3040 wmisxjg.exe 1724 wmisxjg.exe 1724 wmisxjg.exe 2668 wmisxjg.exe 2668 wmisxjg.exe 1028 wmisxjg.exe 1028 wmisxjg.exe 2284 wmisxjg.exe 2284 wmisxjg.exe 824 wmisxjg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File created C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe File opened for modification C:\Windows\SysWOW64\wmisxjg.exe wmisxjg.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 2348 set thread context of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 3044 set thread context of 2980 3044 wmisxjg.exe 32 PID 2140 set thread context of 2872 2140 wmisxjg.exe 34 PID 2528 set thread context of 2652 2528 wmisxjg.exe 36 PID 1072 set thread context of 2892 1072 wmisxjg.exe 38 PID 1152 set thread context of 2716 1152 wmisxjg.exe 40 PID 2236 set thread context of 2188 2236 wmisxjg.exe 43 PID 2248 set thread context of 1540 2248 wmisxjg.exe 45 PID 2500 set thread context of 956 2500 wmisxjg.exe 47 PID 1848 set thread context of 1608 1848 wmisxjg.exe 49 PID 2072 set thread context of 2452 2072 wmisxjg.exe 51 PID 1456 set thread context of 1444 1456 wmisxjg.exe 53 PID 772 set thread context of 1672 772 wmisxjg.exe 55 PID 2000 set thread context of 1244 2000 wmisxjg.exe 57 PID 2988 set thread context of 2556 2988 wmisxjg.exe 59 PID 2608 set thread context of 2224 2608 wmisxjg.exe 61 PID 2104 set thread context of 1324 2104 wmisxjg.exe 63 PID 2436 set thread context of 2600 2436 wmisxjg.exe 65 PID 1792 set thread context of 2968 1792 wmisxjg.exe 67 PID 1860 set thread context of 2100 1860 wmisxjg.exe 69 PID 2876 set thread context of 1896 2876 wmisxjg.exe 71 PID 1564 set thread context of 3060 1564 wmisxjg.exe 73 PID 992 set thread context of 1488 992 wmisxjg.exe 75 PID 1656 set thread context of 2300 1656 wmisxjg.exe 77 PID 1628 set thread context of 884 1628 wmisxjg.exe 79 PID 1552 set thread context of 1944 1552 wmisxjg.exe 81 PID 2024 set thread context of 3040 2024 wmisxjg.exe 83 PID 1920 set thread context of 1724 1920 wmisxjg.exe 85 PID 2988 set thread context of 2668 2988 wmisxjg.exe 87 PID 2584 set thread context of 1028 2584 wmisxjg.exe 89 PID 2888 set thread context of 2284 2888 wmisxjg.exe 91 PID 2708 set thread context of 824 2708 wmisxjg.exe 93 PID 2952 set thread context of 2236 2952 wmisxjg.exe 95 PID 2200 set thread context of 3020 2200 wmisxjg.exe 97 PID 1136 set thread context of 1616 1136 wmisxjg.exe 99 PID 1624 set thread context of 1644 1624 wmisxjg.exe 101 PID 1276 set thread context of 784 1276 wmisxjg.exe 103 PID 1904 set thread context of 712 1904 wmisxjg.exe 105 PID 2348 set thread context of 1956 2348 wmisxjg.exe 107 PID 1260 set thread context of 1912 1260 wmisxjg.exe 109 PID 3000 set thread context of 2992 3000 wmisxjg.exe 111 PID 2932 set thread context of 1724 2932 wmisxjg.exe 113 PID 2552 set thread context of 2804 2552 wmisxjg.exe 115 PID 2104 set thread context of 2700 2104 wmisxjg.exe 117 PID 688 set thread context of 2520 688 wmisxjg.exe 119 PID 2948 set thread context of 3048 2948 wmisxjg.exe 121 PID 2064 set thread context of 112 2064 wmisxjg.exe 123 PID 1784 set thread context of 2056 1784 wmisxjg.exe 125 PID 1692 set thread context of 1732 1692 wmisxjg.exe 127 PID 1500 set thread context of 2340 1500 wmisxjg.exe 129 PID 900 set thread context of 640 900 wmisxjg.exe 131 PID 1604 set thread context of 3028 1604 wmisxjg.exe 133 PID 700 set thread context of 2000 700 wmisxjg.exe 135 PID 2648 set thread context of 2752 2648 wmisxjg.exe 137 PID 1900 set thread context of 2824 1900 wmisxjg.exe 139 PID 1884 set thread context of 2004 1884 wmisxjg.exe 141 PID 600 set thread context of 1892 600 wmisxjg.exe 143 PID 2436 set thread context of 2908 2436 wmisxjg.exe 145 PID 1704 set thread context of 2948 1704 wmisxjg.exe 147 PID 1612 set thread context of 2064 1612 wmisxjg.exe 149 PID 2116 set thread context of 1308 2116 wmisxjg.exe 151 PID 1032 set thread context of 1120 1032 wmisxjg.exe 153 PID 908 set thread context of 2316 908 wmisxjg.exe 155 PID 1888 set thread context of 3012 1888 wmisxjg.exe 157 -
resource yara_rule behavioral1/memory/1156-2-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-4-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-9-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-8-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-7-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-3-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-6-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1156-22-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2980-35-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2980-34-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2980-33-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2980-32-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2980-41-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2872-52-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2872-51-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2872-50-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2872-57-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2652-69-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2652-68-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2652-67-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2652-76-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2892-85-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2892-87-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2892-86-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2892-92-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2716-104-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2716-103-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2716-102-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2716-110-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2188-119-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2188-128-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1540-137-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1540-145-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/956-161-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1608-178-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2452-194-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1444-211-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1672-227-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1244-242-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2556-254-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2224-266-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1324-278-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2600-290-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2968-298-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2968-303-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2100-315-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1896-327-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/3060-339-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1488-351-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2300-363-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/884-375-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1944-384-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1944-388-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/3040-400-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1724-412-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2668-424-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1028-436-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2284-448-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/824-460-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2236-472-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/3020-484-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1616-496-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1644-508-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/784-520-0x0000000000400000-0x0000000000464000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmisxjg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 2980 wmisxjg.exe 2872 wmisxjg.exe 2652 wmisxjg.exe 2892 wmisxjg.exe 2716 wmisxjg.exe 2188 wmisxjg.exe 1540 wmisxjg.exe 956 wmisxjg.exe 1608 wmisxjg.exe 2452 wmisxjg.exe 1444 wmisxjg.exe 1672 wmisxjg.exe 1244 wmisxjg.exe 2556 wmisxjg.exe 2224 wmisxjg.exe 1324 wmisxjg.exe 2600 wmisxjg.exe 2968 wmisxjg.exe 2100 wmisxjg.exe 1896 wmisxjg.exe 3060 wmisxjg.exe 1488 wmisxjg.exe 2300 wmisxjg.exe 884 wmisxjg.exe 1944 wmisxjg.exe 3040 wmisxjg.exe 1724 wmisxjg.exe 2668 wmisxjg.exe 1028 wmisxjg.exe 2284 wmisxjg.exe 824 wmisxjg.exe 2236 wmisxjg.exe 3020 wmisxjg.exe 1616 wmisxjg.exe 1644 wmisxjg.exe 784 wmisxjg.exe 712 wmisxjg.exe 1956 wmisxjg.exe 1912 wmisxjg.exe 2992 wmisxjg.exe 1724 wmisxjg.exe 2804 wmisxjg.exe 2700 wmisxjg.exe 2520 wmisxjg.exe 3048 wmisxjg.exe 112 wmisxjg.exe 2056 wmisxjg.exe 1732 wmisxjg.exe 2340 wmisxjg.exe 640 wmisxjg.exe 3028 wmisxjg.exe 2000 wmisxjg.exe 2752 wmisxjg.exe 2824 wmisxjg.exe 2004 wmisxjg.exe 1892 wmisxjg.exe 2908 wmisxjg.exe 2948 wmisxjg.exe 2064 wmisxjg.exe 1308 wmisxjg.exe 1120 wmisxjg.exe 2316 wmisxjg.exe 3012 wmisxjg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 2348 wrote to memory of 1156 2348 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 30 PID 1156 wrote to memory of 3044 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 31 PID 1156 wrote to memory of 3044 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 31 PID 1156 wrote to memory of 3044 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 31 PID 1156 wrote to memory of 3044 1156 daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 3044 wrote to memory of 2980 3044 wmisxjg.exe 32 PID 2980 wrote to memory of 2140 2980 wmisxjg.exe 33 PID 2980 wrote to memory of 2140 2980 wmisxjg.exe 33 PID 2980 wrote to memory of 2140 2980 wmisxjg.exe 33 PID 2980 wrote to memory of 2140 2980 wmisxjg.exe 33 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2140 wrote to memory of 2872 2140 wmisxjg.exe 34 PID 2872 wrote to memory of 2528 2872 wmisxjg.exe 35 PID 2872 wrote to memory of 2528 2872 wmisxjg.exe 35 PID 2872 wrote to memory of 2528 2872 wmisxjg.exe 35 PID 2872 wrote to memory of 2528 2872 wmisxjg.exe 35 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2528 wrote to memory of 2652 2528 wmisxjg.exe 36 PID 2652 wrote to memory of 1072 2652 wmisxjg.exe 37 PID 2652 wrote to memory of 1072 2652 wmisxjg.exe 37 PID 2652 wrote to memory of 1072 2652 wmisxjg.exe 37 PID 2652 wrote to memory of 1072 2652 wmisxjg.exe 37 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 1072 wrote to memory of 2892 1072 wmisxjg.exe 38 PID 2892 wrote to memory of 1152 2892 wmisxjg.exe 39 PID 2892 wrote to memory of 1152 2892 wmisxjg.exe 39 PID 2892 wrote to memory of 1152 2892 wmisxjg.exe 39 PID 2892 wrote to memory of 1152 2892 wmisxjg.exe 39 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 1152 wrote to memory of 2716 1152 wmisxjg.exe 40 PID 2716 wrote to memory of 2236 2716 wmisxjg.exe 42 PID 2716 wrote to memory of 2236 2716 wmisxjg.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\daa4c6bec7172d8ac999a9fce4dabe93_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Users\Admin\AppData\Local\Temp\DAA4C6~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Users\Admin\AppData\Local\Temp\DAA4C6~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2236 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2188 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:956 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1848 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2072 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2452 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1456 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1444 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2000 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2988 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2556 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2224 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe34⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2436 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe36⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe38⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2968 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1860 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe40⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2100 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2876 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe42⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1896 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe44⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:992 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe46⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1488 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe48⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe50⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1552 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe52⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2024 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe54⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe56⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2988 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe58⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2584 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe60⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1028 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2888 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe62⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2708 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe64⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2952 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe67⤵
- Suspicious use of SetThreadContext
PID:2200 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe68⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe69⤵
- Suspicious use of SetThreadContext
PID:1136 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe70⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe71⤵
- Suspicious use of SetThreadContext
PID:1624 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe74⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe75⤵
- Suspicious use of SetThreadContext
PID:1904 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:712 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe78⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe79⤵
- Suspicious use of SetThreadContext
PID:1260 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe80⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1912 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe81⤵
- Suspicious use of SetThreadContext
PID:3000 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe83⤵
- Suspicious use of SetThreadContext
PID:2932 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe84⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1724 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe85⤵
- Suspicious use of SetThreadContext
PID:2552 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe87⤵
- Suspicious use of SetThreadContext
PID:2104 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe88⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2700 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe89⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe90⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe91⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe93⤵
- Suspicious use of SetThreadContext
PID:2064 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe94⤵
- Suspicious behavior: EnumeratesProcesses
PID:112 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe95⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe97⤵
- Suspicious use of SetThreadContext
PID:1692 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe98⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1732 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe99⤵
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe100⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe101⤵
- Suspicious use of SetThreadContext
PID:900 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe102⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:640 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe103⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe104⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe105⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe106⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe107⤵
- Suspicious use of SetThreadContext
PID:2648 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe108⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe109⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe110⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe111⤵
- Suspicious use of SetThreadContext
PID:1884 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe112⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe113⤵
- Suspicious use of SetThreadContext
PID:600 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1892 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe115⤵
- Suspicious use of SetThreadContext
PID:2436 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe116⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe117⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe119⤵
- Suspicious use of SetThreadContext
PID:1612 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe120⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\system32\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe121⤵
- Suspicious use of SetThreadContext
PID:2116 -
C:\Windows\SysWOW64\wmisxjg.exe"C:\Windows\SysWOW64\wmisxjg.exe" C:\Windows\SysWOW64\wmisxjg.exe122⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-