Analysis
-
max time kernel
107s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 23:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e50f367511f501e9d0f683154c4a7340N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e50f367511f501e9d0f683154c4a7340N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e50f367511f501e9d0f683154c4a7340N.exe
-
Size
80KB
-
MD5
e50f367511f501e9d0f683154c4a7340
-
SHA1
5d871b10b00877d195fc370ed0aa2b6914205629
-
SHA256
c3365938b2aa3fb91fa4fb3202be68ba4fc6f093a7ca590f1a5249bee73803fb
-
SHA512
00328ac1ed169c554f946c4f4038da3a5d382cf8922cf6833d4d383bdfc841f9d2008010b800d9db3fd1b71a7c8715092fb57fb85aca375a86795c342283f627
-
SSDEEP
1536:jozceoQR9Wdeni3vXbm1/vPRQkU5YMkhohBE8VGh:jozcAWd/vXbm1vRQkgUAEQGh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peieba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglkoeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coegoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllhpkfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdhcddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcqjon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlfqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifppdpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdaodja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjgeedch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiiggoaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganldgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlambk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neoieenp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnknafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiioonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfenglqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiddm32.exe -
Executes dropped EXE 64 IoCs
pid Process 4564 Milidebi.exe 1292 Mlkepaam.exe 4140 Mniallpq.exe 112 Mecjif32.exe 1768 Mhafeb32.exe 3092 Mjpbam32.exe 4792 Mbgjbkfg.exe 4164 Meefofek.exe 2824 Mhdckaeo.exe 4496 Mjbogmdb.exe 4060 Mbighjdd.exe 1524 Micoed32.exe 4820 Mlbkap32.exe 3268 Mnphmkji.exe 1048 Maodigil.exe 3168 Mhilfa32.exe 1504 Nobdbkhf.exe 3112 Naaqofgj.exe 4364 Nihipdhl.exe 4936 Noeahkfc.exe 1096 Nbqmiinl.exe 1604 Neoieenp.exe 1780 Nhmeapmd.exe 2448 Nognnj32.exe 372 Neafjdkn.exe 5068 Nimbkc32.exe 2464 Nlkngo32.exe 4616 Nojjcj32.exe 3692 Neccpd32.exe 4044 Nhbolp32.exe 4440 Nlnkmnah.exe 3296 Nolgijpk.exe 2156 Najceeoo.exe 1600 Niakfbpa.exe 3504 Nhdlao32.exe 1904 Okchnk32.exe 4776 Objpoh32.exe 3764 Oehlkc32.exe 1784 Oidhlb32.exe 1892 Okedcjcm.exe 4688 Oblmdhdo.exe 1204 Oifeab32.exe 4396 Oldamm32.exe 4868 Oocmii32.exe 2524 Oaajed32.exe 2692 Oihagaji.exe 4368 Ohkbbn32.exe 4480 Ooejohhq.exe 1400 Oadfkdgd.exe 3252 Oeoblb32.exe 3760 Ohnohn32.exe 3988 Olijhmgj.exe 4816 Oohgdhfn.exe 4604 Oafcqcea.exe 1232 Oimkbaed.exe 2060 Pllgnl32.exe 1520 Pojcjh32.exe 1240 Pedlgbkh.exe 5048 Phbhcmjl.exe 1444 Plndcl32.exe 1964 Pchlpfjb.exe 3008 Pefhlaie.exe 1064 Pibdmp32.exe 1492 Plpqil32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kpbodmjl.dll Ajpqnneo.exe File created C:\Windows\SysWOW64\Pocpfphe.exe Phigif32.exe File opened for modification C:\Windows\SysWOW64\Mfeeabda.exe Mgbefe32.exe File created C:\Windows\SysWOW64\Nobdbkhf.exe Mhilfa32.exe File created C:\Windows\SysWOW64\Nenbjo32.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Bohgljdl.dll Kfnfjehl.exe File created C:\Windows\SysWOW64\Nmdgikhi.exe Nnafno32.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nfnamjhk.exe File created C:\Windows\SysWOW64\Jhijep32.dll Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Dokgdkeh.exe Dmlkhofd.exe File created C:\Windows\SysWOW64\Bhmbqm32.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bnoddcef.exe File created C:\Windows\SysWOW64\Iolhkh32.exe Ipihpkkd.exe File opened for modification C:\Windows\SysWOW64\Diccgfpd.exe Djqblj32.exe File opened for modification C:\Windows\SysWOW64\Glcaambb.exe Fideeaco.exe File created C:\Windows\SysWOW64\Phonha32.exe Ppgegd32.exe File opened for modification C:\Windows\SysWOW64\Cljobphg.exe Cdbfab32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe Onapdl32.exe File created C:\Windows\SysWOW64\Igafkb32.dll Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Cbgnemjj.exe Coiaiakf.exe File created C:\Windows\SysWOW64\Inmdohhp.dll Koajmepf.exe File created C:\Windows\SysWOW64\Mkjnfkma.exe Mccfdmmo.exe File created C:\Windows\SysWOW64\Fbociolq.dll Bkkple32.exe File created C:\Windows\SysWOW64\Dhclmp32.exe Dbicpfdk.exe File created C:\Windows\SysWOW64\Ieidhh32.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Maodigil.exe Mnphmkji.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Gaebef32.exe File created C:\Windows\SysWOW64\Qiiflaoo.exe Qfjjpf32.exe File created C:\Windows\SysWOW64\Kngkqbgl.exe Kfpcoefj.exe File created C:\Windows\SysWOW64\Palklf32.exe Pnmopk32.exe File created C:\Windows\SysWOW64\Enfckp32.exe Doccpcja.exe File created C:\Windows\SysWOW64\Ampaho32.exe Process not Found File created C:\Windows\SysWOW64\Ohkkhhmh.exe Odoogi32.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qeodhjmo.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dbicpfdk.exe File opened for modification C:\Windows\SysWOW64\Oplfkeob.exe Omnjojpo.exe File opened for modification C:\Windows\SysWOW64\Eohmkb32.exe Egaejeej.exe File opened for modification C:\Windows\SysWOW64\Jlgoek32.exe Jihbip32.exe File opened for modification C:\Windows\SysWOW64\Nlkngo32.exe Nimbkc32.exe File opened for modification C:\Windows\SysWOW64\Ldipha32.exe Lmbhgd32.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Hldiinke.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Bigpblgh.dll Process not Found File created C:\Windows\SysWOW64\Bmofagfp.exe Bhcjqinf.exe File opened for modification C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File created C:\Windows\SysWOW64\Bbdhiojo.exe Bkkple32.exe File opened for modification C:\Windows\SysWOW64\Oaajed32.exe Oocmii32.exe File created C:\Windows\SysWOW64\Kjjbjd32.exe Kfnfjehl.exe File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe Npbceggm.exe File created C:\Windows\SysWOW64\Hlkbkddd.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Mlkepaam.exe Milidebi.exe File opened for modification C:\Windows\SysWOW64\Hdhedh32.exe Hlambk32.exe File opened for modification C:\Windows\SysWOW64\Ckmonl32.exe Cljobphg.exe File created C:\Windows\SysWOW64\Minqeaad.dll Lokdnjkg.exe File created C:\Windows\SysWOW64\Klekfinp.exe Khiofk32.exe File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Hlpfhe32.exe File opened for modification C:\Windows\SysWOW64\Bmggingc.exe Process not Found File created C:\Windows\SysWOW64\Nqdmimbf.dll Gfodeohd.exe File created C:\Windows\SysWOW64\Lindkm32.exe Lafmjp32.exe File created C:\Windows\SysWOW64\Nimbkc32.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Dgnkfj32.dll Hginecde.exe File created C:\Windows\SysWOW64\Phigif32.exe Paoollik.exe File created C:\Windows\SysWOW64\Diccgfpd.exe Djqblj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5544 5736 Process not Found 1185 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganldgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncofplba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabhfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniihmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojjcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objkmkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbcfbjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhecmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbkml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjidgkog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggnadib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqeioiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbegqjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egohdegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhafffk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqmop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekodjiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgind32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enfckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilfa32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll" Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkqoohc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnpcnol.dll" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjfln32.dll" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhafeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoankj.dll" Dpnkdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbilm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjknfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhecmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjgp32.dll" Djjebh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbocfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicpgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobipl32.dll" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbqppqg.dll" Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bnmoijje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcjfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilphdlqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll" Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimapcmi.dll" Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll" Mqhfoebo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 4564 3220 e50f367511f501e9d0f683154c4a7340N.exe 86 PID 3220 wrote to memory of 4564 3220 e50f367511f501e9d0f683154c4a7340N.exe 86 PID 3220 wrote to memory of 4564 3220 e50f367511f501e9d0f683154c4a7340N.exe 86 PID 4564 wrote to memory of 1292 4564 Milidebi.exe 87 PID 4564 wrote to memory of 1292 4564 Milidebi.exe 87 PID 4564 wrote to memory of 1292 4564 Milidebi.exe 87 PID 1292 wrote to memory of 4140 1292 Mlkepaam.exe 88 PID 1292 wrote to memory of 4140 1292 Mlkepaam.exe 88 PID 1292 wrote to memory of 4140 1292 Mlkepaam.exe 88 PID 4140 wrote to memory of 112 4140 Mniallpq.exe 89 PID 4140 wrote to memory of 112 4140 Mniallpq.exe 89 PID 4140 wrote to memory of 112 4140 Mniallpq.exe 89 PID 112 wrote to memory of 1768 112 Mecjif32.exe 90 PID 112 wrote to memory of 1768 112 Mecjif32.exe 90 PID 112 wrote to memory of 1768 112 Mecjif32.exe 90 PID 1768 wrote to memory of 3092 1768 Mhafeb32.exe 91 PID 1768 wrote to memory of 3092 1768 Mhafeb32.exe 91 PID 1768 wrote to memory of 3092 1768 Mhafeb32.exe 91 PID 3092 wrote to memory of 4792 3092 Mjpbam32.exe 92 PID 3092 wrote to memory of 4792 3092 Mjpbam32.exe 92 PID 3092 wrote to memory of 4792 3092 Mjpbam32.exe 92 PID 4792 wrote to memory of 4164 4792 Mbgjbkfg.exe 93 PID 4792 wrote to memory of 4164 4792 Mbgjbkfg.exe 93 PID 4792 wrote to memory of 4164 4792 Mbgjbkfg.exe 93 PID 4164 wrote to memory of 2824 4164 Meefofek.exe 94 PID 4164 wrote to memory of 2824 4164 Meefofek.exe 94 PID 4164 wrote to memory of 2824 4164 Meefofek.exe 94 PID 2824 wrote to memory of 4496 2824 Mhdckaeo.exe 95 PID 2824 wrote to memory of 4496 2824 Mhdckaeo.exe 95 PID 2824 wrote to memory of 4496 2824 Mhdckaeo.exe 95 PID 4496 wrote to memory of 4060 4496 Mjbogmdb.exe 96 PID 4496 wrote to memory of 4060 4496 Mjbogmdb.exe 96 PID 4496 wrote to memory of 4060 4496 Mjbogmdb.exe 96 PID 4060 wrote to memory of 1524 4060 Mbighjdd.exe 97 PID 4060 wrote to memory of 1524 4060 Mbighjdd.exe 97 PID 4060 wrote to memory of 1524 4060 Mbighjdd.exe 97 PID 1524 wrote to memory of 4820 1524 Micoed32.exe 98 PID 1524 wrote to memory of 4820 1524 Micoed32.exe 98 PID 1524 wrote to memory of 4820 1524 Micoed32.exe 98 PID 4820 wrote to memory of 3268 4820 Mlbkap32.exe 99 PID 4820 wrote to memory of 3268 4820 Mlbkap32.exe 99 PID 4820 wrote to memory of 3268 4820 Mlbkap32.exe 99 PID 3268 wrote to memory of 1048 3268 Mnphmkji.exe 101 PID 3268 wrote to memory of 1048 3268 Mnphmkji.exe 101 PID 3268 wrote to memory of 1048 3268 Mnphmkji.exe 101 PID 1048 wrote to memory of 3168 1048 Maodigil.exe 102 PID 1048 wrote to memory of 3168 1048 Maodigil.exe 102 PID 1048 wrote to memory of 3168 1048 Maodigil.exe 102 PID 3168 wrote to memory of 1504 3168 Mhilfa32.exe 104 PID 3168 wrote to memory of 1504 3168 Mhilfa32.exe 104 PID 3168 wrote to memory of 1504 3168 Mhilfa32.exe 104 PID 1504 wrote to memory of 3112 1504 Nobdbkhf.exe 105 PID 1504 wrote to memory of 3112 1504 Nobdbkhf.exe 105 PID 1504 wrote to memory of 3112 1504 Nobdbkhf.exe 105 PID 3112 wrote to memory of 4364 3112 Naaqofgj.exe 106 PID 3112 wrote to memory of 4364 3112 Naaqofgj.exe 106 PID 3112 wrote to memory of 4364 3112 Naaqofgj.exe 106 PID 4364 wrote to memory of 4936 4364 Nihipdhl.exe 108 PID 4364 wrote to memory of 4936 4364 Nihipdhl.exe 108 PID 4364 wrote to memory of 4936 4364 Nihipdhl.exe 108 PID 4936 wrote to memory of 1096 4936 Noeahkfc.exe 109 PID 4936 wrote to memory of 1096 4936 Noeahkfc.exe 109 PID 4936 wrote to memory of 1096 4936 Noeahkfc.exe 109 PID 1096 wrote to memory of 1604 1096 Nbqmiinl.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e50f367511f501e9d0f683154c4a7340N.exe"C:\Users\Admin\AppData\Local\Temp\e50f367511f501e9d0f683154c4a7340N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe24⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe25⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe28⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe30⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe31⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe32⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe33⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe34⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe35⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe36⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe39⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe41⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe43⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe44⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4868 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe46⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe49⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe51⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3760 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe53⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe54⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe55⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe56⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe57⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe58⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe59⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe60⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe61⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe62⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe63⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe65⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe66⤵PID:4400
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe67⤵PID:4764
-
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe69⤵PID:3688
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe70⤵PID:2044
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe71⤵PID:1212
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe72⤵PID:5016
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe73⤵PID:3192
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe74⤵PID:4760
-
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe75⤵PID:1952
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe76⤵PID:3404
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe77⤵PID:4520
-
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe78⤵PID:688
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe79⤵PID:3460
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe80⤵PID:4356
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe81⤵PID:3668
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe82⤵PID:2720
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe83⤵PID:4004
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe84⤵PID:804
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4824 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe86⤵PID:4876
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe87⤵PID:2400
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe88⤵PID:4508
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe89⤵PID:2356
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe90⤵PID:4528
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe91⤵PID:2280
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe92⤵PID:5156
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe93⤵PID:5200
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe94⤵
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe95⤵PID:5296
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe96⤵PID:5340
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe97⤵PID:5384
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe98⤵PID:5428
-
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe99⤵PID:5472
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe100⤵PID:5504
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe101⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe102⤵PID:5600
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe103⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe104⤵PID:5688
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe105⤵PID:5736
-
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe106⤵PID:5780
-
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe107⤵PID:5824
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe109⤵PID:5928
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe110⤵PID:5984
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe111⤵PID:6040
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe112⤵PID:6104
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe113⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe115⤵PID:5256
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe116⤵PID:5332
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe117⤵PID:5396
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe119⤵PID:5532
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe120⤵PID:5588
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-