Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 22:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8179405f8f8975ce1742373aad5d2ac0N.exe
Resource
win7-20240705-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
8179405f8f8975ce1742373aad5d2ac0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8179405f8f8975ce1742373aad5d2ac0N.exe
-
Size
64KB
-
MD5
8179405f8f8975ce1742373aad5d2ac0
-
SHA1
7b18d34a63288d470f7be8c61723ccad3b7ed861
-
SHA256
e5983b4a425b7471bbd0abba6dcca1e317f2806508f9543a864a1e95c3ffd8ba
-
SHA512
0348251d6e73a7716d7da154b769c81037ae071cd0c89da255ef391b783fba7dd83a17c65eb4a6169925b607dfb7e661fc1ae309bcdaf0380121ae9266e86b81
-
SSDEEP
1536:kug6cXp665H+/dGHKIUr4WMDFV1iL+iALMH6:ku6Z56kKqWMpV1iL+9Ma
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpcgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpqcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmajbnha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchmdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aikbpckb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebplhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnnel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpdidol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoeoedo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgdabflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhbhapha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocchhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhlkjaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eglkmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjcfgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deiblamk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqhcno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlcbjfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfokoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciqmjkno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcldhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnbgian.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfcjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hommhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeicajh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bammeebe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejnbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhgkcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkioojpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiojmgcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppbepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkmlhea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioqohb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjcplhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhjhdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmdcamko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafgob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhlgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmlih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdbofo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbgljf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagajlal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkqccbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclpamg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbnopkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijppjfd.exe -
Executes dropped EXE 64 IoCs
pid Process 2088 Miipencp.exe 2160 Mdodbf32.exe 3088 Mhjpceko.exe 4512 Mfmpob32.exe 1760 Miklkm32.exe 2760 Mabdlk32.exe 2404 Mdaqhf32.exe 1048 Mjkiephp.exe 2984 Mmiealgc.exe 3692 Mphamg32.exe 4324 Nfaijand.exe 2884 Nagngjmj.exe 2800 Ndejcemn.exe 2004 Nkpbpp32.exe 4560 Nmnnlk32.exe 3964 Ndhgie32.exe 4776 Nffceq32.exe 1688 Nieoal32.exe 996 Ndjcne32.exe 1976 Ngipjp32.exe 4044 Niglfl32.exe 3992 Nandhi32.exe 3028 Ndmpddfe.exe 764 Ngklppei.exe 1352 Nmedmj32.exe 4060 Ndomiddc.exe 4064 Oileakbj.exe 1904 Okkalnjm.exe 4988 Ophjdehd.exe 2244 Oknnanhj.exe 1496 Oahgnh32.exe 1668 Ohaokbfd.exe 2516 Oickbjmb.exe 4408 Opmcod32.exe 3140 Oggllnkl.exe 920 Oiehhjjp.exe 1216 Oalpigkb.exe 2864 Pdklebje.exe 4948 Pkedbmab.exe 1956 Phiekaql.exe 3460 Pgkegn32.exe 940 Pnenchoc.exe 4452 Pdofpb32.exe 4864 Pgnblm32.exe 1380 Pjlnhi32.exe 4728 Ppffec32.exe 4424 Pgpobmca.exe 1372 Pklkbl32.exe 3080 Pnjgog32.exe 4876 Pphckb32.exe 4264 Pgbkgmao.exe 3956 Pnlcdg32.exe 5012 Qpkppbho.exe 2288 Qhbhapha.exe 1680 Qjcdih32.exe 3564 Qpmmfbfl.exe 4616 Qggebl32.exe 3340 Qkcackeb.exe 4868 Aamipe32.exe 2296 Ahgamo32.exe 1868 Akenij32.exe 1712 Ancjef32.exe 2444 Aqbfaa32.exe 4104 Aglnnkid.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjbidk32.dll Gimjag32.exe File opened for modification C:\Windows\SysWOW64\Dendok32.exe Dabhomea.exe File opened for modification C:\Windows\SysWOW64\Fiaogfai.exe Fajgfiag.exe File opened for modification C:\Windows\SysWOW64\Njceqili.exe Nlbdba32.exe File created C:\Windows\SysWOW64\Qhachh32.dll Dofgklcb.exe File opened for modification C:\Windows\SysWOW64\Hjdcfp32.exe Hhegjdag.exe File opened for modification C:\Windows\SysWOW64\Kojdkhdd.exe Khplnn32.exe File opened for modification C:\Windows\SysWOW64\Peonhg32.exe Ppbepp32.exe File created C:\Windows\SysWOW64\Jkpqce32.dll Ncpelbap.exe File created C:\Windows\SysWOW64\Okgfdm32.exe Odnngclb.exe File opened for modification C:\Windows\SysWOW64\Picchg32.exe Palkgi32.exe File created C:\Windows\SysWOW64\Ifcdpf32.dll Ppffec32.exe File opened for modification C:\Windows\SysWOW64\Pgbkgmao.exe Pphckb32.exe File opened for modification C:\Windows\SysWOW64\Flmonbbp.exe Eiobbgcl.exe File created C:\Windows\SysWOW64\Cmqljn32.dll Gaffbg32.exe File created C:\Windows\SysWOW64\Fhbfdm32.dll Kfbmgo32.exe File opened for modification C:\Windows\SysWOW64\Dkehlo32.exe Dcnqkb32.exe File created C:\Windows\SysWOW64\Bgqedh32.dll Mnaghb32.exe File created C:\Windows\SysWOW64\Djkdnool.exe Dcalae32.exe File opened for modification C:\Windows\SysWOW64\Jmihpa32.exe Jinloboo.exe File opened for modification C:\Windows\SysWOW64\Kkdnjd32.exe Kfhbifgq.exe File created C:\Windows\SysWOW64\Cqiehnml.exe Cjomldfp.exe File opened for modification C:\Windows\SysWOW64\Flddoa32.exe Fhiinbdo.exe File created C:\Windows\SysWOW64\Inoeep32.dll Fjdajhbi.exe File created C:\Windows\SysWOW64\Jcimnfna.dll Hmjmnpmb.exe File created C:\Windows\SysWOW64\Ppnbpg32.exe Pehnboko.exe File created C:\Windows\SysWOW64\Dgplai32.exe Doidql32.exe File created C:\Windows\SysWOW64\Cqpnlobf.dll Ojopki32.exe File created C:\Windows\SysWOW64\Qhbhapha.exe Qpkppbho.exe File opened for modification C:\Windows\SysWOW64\Lmcldhfp.exe Lfjchn32.exe File created C:\Windows\SysWOW64\Jdiglgbg.exe Jkqccbkf.exe File opened for modification C:\Windows\SysWOW64\Opgloh32.exe Obcled32.exe File created C:\Windows\SysWOW64\Hdodeedi.exe Haphiiee.exe File created C:\Windows\SysWOW64\Pqchjm32.dll Albikp32.exe File opened for modification C:\Windows\SysWOW64\Mpoljg32.exe Mjednmla.exe File created C:\Windows\SysWOW64\Dncehk32.exe Dkehlo32.exe File created C:\Windows\SysWOW64\Qiocde32.exe Qniogl32.exe File created C:\Windows\SysWOW64\Chbenm32.exe Ccfmef32.exe File opened for modification C:\Windows\SysWOW64\Hppedpkf.exe Hmaihekc.exe File created C:\Windows\SysWOW64\Johfep32.dll Lcpledob.exe File created C:\Windows\SysWOW64\Oggqho32.exe Oqmhlego.exe File opened for modification C:\Windows\SysWOW64\Pqkdmc32.exe Pnmhqh32.exe File created C:\Windows\SysWOW64\Pcgdcome.exe Pbfglg32.exe File created C:\Windows\SysWOW64\Pkedbmab.exe Pdklebje.exe File opened for modification C:\Windows\SysWOW64\Diafqi32.exe Dajnol32.exe File created C:\Windows\SysWOW64\Ljccfoqj.dll Gahcgg32.exe File created C:\Windows\SysWOW64\Gokmfe32.exe Gjpaffhl.exe File created C:\Windows\SysWOW64\Gfifen32.dll Jacnegep.exe File opened for modification C:\Windows\SysWOW64\Ldohogfe.exe Lpcmoi32.exe File created C:\Windows\SysWOW64\Ncpelbap.exe Mncmck32.exe File created C:\Windows\SysWOW64\Oalpigkb.exe Oiehhjjp.exe File opened for modification C:\Windows\SysWOW64\Ecnbgian.exe Enajobbf.exe File created C:\Windows\SysWOW64\Dljqjjnp.exe Djkdnool.exe File created C:\Windows\SysWOW64\Pklkbl32.exe Pgpobmca.exe File opened for modification C:\Windows\SysWOW64\Kiajck32.exe Kfbmgo32.exe File opened for modification C:\Windows\SysWOW64\Mpnglbkf.exe Mmokpglb.exe File opened for modification C:\Windows\SysWOW64\Ihdjfhhc.exe Imofip32.exe File opened for modification C:\Windows\SysWOW64\Pbahgbfc.exe Pmdpok32.exe File created C:\Windows\SysWOW64\Gdpenp32.dll Ffhnocfd.exe File created C:\Windows\SysWOW64\Qoecli32.dll Ppkopail.exe File created C:\Windows\SysWOW64\Apmfnbao.dll Kmjinjnj.exe File created C:\Windows\SysWOW64\Komoed32.exe Kicfijal.exe File opened for modification C:\Windows\SysWOW64\Lckglc32.exe Kkdoje32.exe File opened for modification C:\Windows\SysWOW64\Qdhalj32.exe Qpmfklbq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7116 8996 WerFault.exe 1026 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpedckdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnenchoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfepldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blchmdff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njokei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkeedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioqohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfipakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfmef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimmil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqfpoope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhgkcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohplf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiphebml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqjbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihkgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dagajlal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndejcemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faamghko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhegjdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niglfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celgjlpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdijpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abqjci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakjfcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmqggncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmiagbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcndkaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdbedmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nieoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjmnpmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdeinhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldeap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijppjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokgonmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajkohmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemqdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpobmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnqap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcphpdil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpmcddi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbfaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgnka32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elaobdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midoph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommjnlnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjocaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oggllnkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghpooanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dncehk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnpjdfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpenp32.dll" Ffhnocfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoapldei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopog32.dll" Ijcecgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehbkica.dll" Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamlhdea.dll" Dagajlal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nicbpf32.dll" Anjikoip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linojbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aemqdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqabj32.dll" Ebifha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnlcdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agqhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capkim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Celgjlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elaobdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgcpb32.dll" Faamghko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igkmbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opfedb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlhn32.dll" Aejmdegn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlckik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgpaqbcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajlpepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpipcb32.dll" Cpfkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnjqhcno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoapldei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkdnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qggebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haapme32.dll" Agqhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqiehnml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckfofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dagajlal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Decmjjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkomhhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcllk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkehlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiing32.dll" Nmajbnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdlajf32.dll" Ikifhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaonaekb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdqfbai.dll" Elfhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjpklj.dll" Mjcljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckbggad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apcllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioqohb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iobecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeomnh32.dll" Mglhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lofjam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naompiea.dll" Kkioojpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffekom32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 348 wrote to memory of 2088 348 8179405f8f8975ce1742373aad5d2ac0N.exe 93 PID 348 wrote to memory of 2088 348 8179405f8f8975ce1742373aad5d2ac0N.exe 93 PID 348 wrote to memory of 2088 348 8179405f8f8975ce1742373aad5d2ac0N.exe 93 PID 2088 wrote to memory of 2160 2088 Miipencp.exe 94 PID 2088 wrote to memory of 2160 2088 Miipencp.exe 94 PID 2088 wrote to memory of 2160 2088 Miipencp.exe 94 PID 2160 wrote to memory of 3088 2160 Mdodbf32.exe 95 PID 2160 wrote to memory of 3088 2160 Mdodbf32.exe 95 PID 2160 wrote to memory of 3088 2160 Mdodbf32.exe 95 PID 3088 wrote to memory of 4512 3088 Mhjpceko.exe 96 PID 3088 wrote to memory of 4512 3088 Mhjpceko.exe 96 PID 3088 wrote to memory of 4512 3088 Mhjpceko.exe 96 PID 4512 wrote to memory of 1760 4512 Mfmpob32.exe 97 PID 4512 wrote to memory of 1760 4512 Mfmpob32.exe 97 PID 4512 wrote to memory of 1760 4512 Mfmpob32.exe 97 PID 1760 wrote to memory of 2760 1760 Miklkm32.exe 98 PID 1760 wrote to memory of 2760 1760 Miklkm32.exe 98 PID 1760 wrote to memory of 2760 1760 Miklkm32.exe 98 PID 2760 wrote to memory of 2404 2760 Mabdlk32.exe 99 PID 2760 wrote to memory of 2404 2760 Mabdlk32.exe 99 PID 2760 wrote to memory of 2404 2760 Mabdlk32.exe 99 PID 2404 wrote to memory of 1048 2404 Mdaqhf32.exe 100 PID 2404 wrote to memory of 1048 2404 Mdaqhf32.exe 100 PID 2404 wrote to memory of 1048 2404 Mdaqhf32.exe 100 PID 1048 wrote to memory of 2984 1048 Mjkiephp.exe 101 PID 1048 wrote to memory of 2984 1048 Mjkiephp.exe 101 PID 1048 wrote to memory of 2984 1048 Mjkiephp.exe 101 PID 2984 wrote to memory of 3692 2984 Mmiealgc.exe 102 PID 2984 wrote to memory of 3692 2984 Mmiealgc.exe 102 PID 2984 wrote to memory of 3692 2984 Mmiealgc.exe 102 PID 3692 wrote to memory of 4324 3692 Mphamg32.exe 103 PID 3692 wrote to memory of 4324 3692 Mphamg32.exe 103 PID 3692 wrote to memory of 4324 3692 Mphamg32.exe 103 PID 4324 wrote to memory of 2884 4324 Nfaijand.exe 104 PID 4324 wrote to memory of 2884 4324 Nfaijand.exe 104 PID 4324 wrote to memory of 2884 4324 Nfaijand.exe 104 PID 2884 wrote to memory of 2800 2884 Nagngjmj.exe 105 PID 2884 wrote to memory of 2800 2884 Nagngjmj.exe 105 PID 2884 wrote to memory of 2800 2884 Nagngjmj.exe 105 PID 2800 wrote to memory of 2004 2800 Ndejcemn.exe 106 PID 2800 wrote to memory of 2004 2800 Ndejcemn.exe 106 PID 2800 wrote to memory of 2004 2800 Ndejcemn.exe 106 PID 2004 wrote to memory of 4560 2004 Nkpbpp32.exe 107 PID 2004 wrote to memory of 4560 2004 Nkpbpp32.exe 107 PID 2004 wrote to memory of 4560 2004 Nkpbpp32.exe 107 PID 4560 wrote to memory of 3964 4560 Nmnnlk32.exe 108 PID 4560 wrote to memory of 3964 4560 Nmnnlk32.exe 108 PID 4560 wrote to memory of 3964 4560 Nmnnlk32.exe 108 PID 3964 wrote to memory of 4776 3964 Ndhgie32.exe 109 PID 3964 wrote to memory of 4776 3964 Ndhgie32.exe 109 PID 3964 wrote to memory of 4776 3964 Ndhgie32.exe 109 PID 4776 wrote to memory of 1688 4776 Nffceq32.exe 110 PID 4776 wrote to memory of 1688 4776 Nffceq32.exe 110 PID 4776 wrote to memory of 1688 4776 Nffceq32.exe 110 PID 1688 wrote to memory of 996 1688 Nieoal32.exe 111 PID 1688 wrote to memory of 996 1688 Nieoal32.exe 111 PID 1688 wrote to memory of 996 1688 Nieoal32.exe 111 PID 996 wrote to memory of 1976 996 Ndjcne32.exe 112 PID 996 wrote to memory of 1976 996 Ndjcne32.exe 112 PID 996 wrote to memory of 1976 996 Ndjcne32.exe 112 PID 1976 wrote to memory of 4044 1976 Ngipjp32.exe 113 PID 1976 wrote to memory of 4044 1976 Ngipjp32.exe 113 PID 1976 wrote to memory of 4044 1976 Ngipjp32.exe 113 PID 4044 wrote to memory of 3992 4044 Niglfl32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\8179405f8f8975ce1742373aad5d2ac0N.exe"C:\Users\Admin\AppData\Local\Temp\8179405f8f8975ce1742373aad5d2ac0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Miipencp.exeC:\Windows\system32\Miipencp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Mhjpceko.exeC:\Windows\system32\Mhjpceko.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Miklkm32.exeC:\Windows\system32\Miklkm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mdaqhf32.exeC:\Windows\system32\Mdaqhf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Mjkiephp.exeC:\Windows\system32\Mjkiephp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Mphamg32.exeC:\Windows\system32\Mphamg32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Nagngjmj.exeC:\Windows\system32\Nagngjmj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ndejcemn.exeC:\Windows\system32\Ndejcemn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Nmnnlk32.exeC:\Windows\system32\Nmnnlk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Nieoal32.exeC:\Windows\system32\Nieoal32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Niglfl32.exeC:\Windows\system32\Niglfl32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Nandhi32.exeC:\Windows\system32\Nandhi32.exe23⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe24⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe25⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe26⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Ndomiddc.exeC:\Windows\system32\Ndomiddc.exe27⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Oileakbj.exeC:\Windows\system32\Oileakbj.exe28⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe29⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ophjdehd.exeC:\Windows\system32\Ophjdehd.exe30⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe31⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe32⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe33⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Oickbjmb.exeC:\Windows\system32\Oickbjmb.exe34⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe35⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3140 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe38⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Pdklebje.exeC:\Windows\system32\Pdklebje.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Pkedbmab.exeC:\Windows\system32\Pkedbmab.exe40⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe41⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pgkegn32.exeC:\Windows\system32\Pgkegn32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Pnenchoc.exeC:\Windows\system32\Pnenchoc.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Pdofpb32.exeC:\Windows\system32\Pdofpb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Pgnblm32.exeC:\Windows\system32\Pgnblm32.exe45⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Pjlnhi32.exeC:\Windows\system32\Pjlnhi32.exe46⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe49⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3080 -
C:\Windows\SysWOW64\Pphckb32.exeC:\Windows\system32\Pphckb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe52⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3956 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Qhbhapha.exeC:\Windows\system32\Qhbhapha.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe56⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Qkcackeb.exeC:\Windows\system32\Qkcackeb.exe59⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe60⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe61⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe62⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ancjef32.exeC:\Windows\system32\Ancjef32.exe63⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe65⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Anffje32.exeC:\Windows\system32\Anffje32.exe66⤵PID:2268
-
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe67⤵PID:404
-
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe68⤵PID:3616
-
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe69⤵PID:4900
-
C:\Windows\SysWOW64\Adbkmo32.exeC:\Windows\system32\Adbkmo32.exe70⤵PID:5160
-
C:\Windows\SysWOW64\Agqhik32.exeC:\Windows\system32\Agqhik32.exe71⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe72⤵PID:5240
-
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe73⤵PID:5284
-
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe74⤵PID:5320
-
C:\Windows\SysWOW64\Ajaqjfbp.exeC:\Windows\system32\Ajaqjfbp.exe75⤵PID:5364
-
C:\Windows\SysWOW64\Bbhhlccb.exeC:\Windows\system32\Bbhhlccb.exe76⤵PID:5404
-
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe77⤵PID:5444
-
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe78⤵PID:5484
-
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe79⤵PID:5524
-
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe80⤵PID:5564
-
C:\Windows\SysWOW64\Bhennm32.exeC:\Windows\system32\Bhennm32.exe81⤵PID:5608
-
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe82⤵PID:5648
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe83⤵PID:5696
-
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe84⤵PID:5744
-
C:\Windows\SysWOW64\Bkefphem.exeC:\Windows\system32\Bkefphem.exe85⤵PID:5776
-
C:\Windows\SysWOW64\Bbpolb32.exeC:\Windows\system32\Bbpolb32.exe86⤵PID:5836
-
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe87⤵PID:5880
-
C:\Windows\SysWOW64\Bnfoac32.exeC:\Windows\system32\Bnfoac32.exe88⤵PID:5924
-
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe89⤵PID:5972
-
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe90⤵PID:6016
-
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe91⤵PID:6060
-
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe92⤵PID:6104
-
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe93⤵PID:2164
-
C:\Windows\SysWOW64\Cnhlgc32.exeC:\Windows\system32\Cnhlgc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5196 -
C:\Windows\SysWOW64\Cebdcmhh.exeC:\Windows\system32\Cebdcmhh.exe95⤵PID:5268
-
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe96⤵PID:5328
-
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5416 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe98⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Cqiehnml.exeC:\Windows\system32\Cqiehnml.exe99⤵
- Modifies registry class
PID:5548 -
C:\Windows\SysWOW64\Ciqmjkno.exeC:\Windows\system32\Ciqmjkno.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe101⤵PID:5732
-
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Cegnol32.exeC:\Windows\system32\Cegnol32.exe104⤵PID:5912
-
C:\Windows\SysWOW64\Cicjokll.exeC:\Windows\system32\Cicjokll.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Ckafkfkp.exeC:\Windows\system32\Ckafkfkp.exe106⤵PID:6112
-
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe108⤵PID:5372
-
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe109⤵PID:5432
-
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe110⤵PID:5556
-
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe111⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5824 -
C:\Windows\SysWOW64\Cbnknpqj.exeC:\Windows\system32\Cbnknpqj.exe113⤵PID:5920
-
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Celgjlpn.exeC:\Windows\system32\Celgjlpn.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe117⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Dabhomea.exeC:\Windows\system32\Dabhomea.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe120⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-