Analysis
-
max time kernel
106s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 05:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f2351066b9bcc3328392a2fdb8d6300N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
8f2351066b9bcc3328392a2fdb8d6300N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
8f2351066b9bcc3328392a2fdb8d6300N.exe
-
Size
80KB
-
MD5
8f2351066b9bcc3328392a2fdb8d6300
-
SHA1
2f420e06807e6127ce57a42f03150707775eef40
-
SHA256
8d316cf0a313eac1546c3f65606118a0ca9981caf490f48c70d1e6f731d75bb6
-
SHA512
623300b0e08a0292f2ff5bd4f9a87f126858d3b5411a51500a5e56be8b16ca693f44bd5949e093135d61fda4d03071324a965d30d09f7a20ea28b3bb6cb98695
-
SSDEEP
1536:EtQPhHhdB89X9+00W5dpE7Fmxs/R0LpMCENBn2LFJ9VqDlzVxyh+CbxMa:EtQ5HhdePUW5dpE7Qs/R0LpMCENBMFJP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebfign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnmfclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhqcgnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhjph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebaplnie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeaoab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfplibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljqhkckn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockdmmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnlme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqblj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifppdpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbenoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmkhgho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bepmoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglkoeio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgqpkip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkmdkgob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplpll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npepkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fooclapd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbkfbcpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjgjj32.exe -
Executes dropped EXE 64 IoCs
pid Process 1412 Hjhalefe.exe 456 Hpbiip32.exe 3516 Hhiajmod.exe 4632 Hjjnae32.exe 556 Haafcb32.exe 624 Hhknpmma.exe 3416 Hjlkge32.exe 4104 Hacbhb32.exe 3108 Idbodn32.exe 4744 Iklgah32.exe 2772 Injcmc32.exe 3688 Ihphkl32.exe 1924 Ikndgg32.exe 1436 Iahlcaol.exe 3372 Idghpmnp.exe 1276 Igedlh32.exe 3452 Inomhbeq.exe 2016 Idieem32.exe 1008 Ijfnmc32.exe 2836 Iqpfjnba.exe 4640 Idkbkl32.exe 3368 Ikejgf32.exe 3612 Ibobdqid.exe 2320 Jhijqj32.exe 4948 Jkhgmf32.exe 1840 Jbaojpgb.exe 2232 Jqdoem32.exe 3444 Jkjcbe32.exe 5000 Jnhpoamf.exe 1664 Jqglkmlj.exe 4148 Jhndljll.exe 4468 Jjopcb32.exe 3672 Jbfheo32.exe 3400 Jdedak32.exe 2748 Jkomneim.exe 2000 Jibmgi32.exe 3168 Jnpfop32.exe 3760 Kqnbkl32.exe 3744 Kiejmi32.exe 2628 Kjffdalb.exe 3172 Kqpoakco.exe 2360 Kgjgne32.exe 2904 Kjhcjq32.exe 2532 Kqbkfkal.exe 5044 Kgmcce32.exe 4840 Kjkpoq32.exe 1588 Kaehljpj.exe 1032 Kilpmh32.exe 2800 Kjmmepfj.exe 4844 Kbddfmgl.exe 864 Kecabifp.exe 4516 Kgamnded.exe 4584 Knkekn32.exe 4444 Leenhhdn.exe 1976 Lgcjdd32.exe 3524 Lalnmiia.exe 3952 Legjmh32.exe 4420 Lkabjbih.exe 1156 Lbkkgl32.exe 2540 Lejgch32.exe 1952 Lghcocol.exe 1980 Lnbklm32.exe 4020 Laqhhi32.exe 4732 Llflea32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmeede32.exe Jcoaglhk.exe File created C:\Windows\SysWOW64\Bgbpaipl.exe Baegibae.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mlhqcgnk.exe File created C:\Windows\SysWOW64\Fphppfgi.dll Kjhcjq32.exe File created C:\Windows\SysWOW64\Kbddfmgl.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Mhaimehd.dll Bckkca32.exe File created C:\Windows\SysWOW64\Mhjmpfcl.dll Dngjff32.exe File opened for modification C:\Windows\SysWOW64\Flpmagqi.exe Fiaael32.exe File created C:\Windows\SysWOW64\Fopjdidn.dll Mjaabq32.exe File opened for modification C:\Windows\SysWOW64\Mfbaalbi.exe Mcdeeq32.exe File created C:\Windows\SysWOW64\Bpenhh32.dll Nmfmde32.exe File opened for modification C:\Windows\SysWOW64\Olijhmgj.exe Oiknlagg.exe File created C:\Windows\SysWOW64\Knienl32.dll Efjimhnh.exe File created C:\Windows\SysWOW64\Lfklem32.dll Ahgcjddh.exe File created C:\Windows\SysWOW64\Nmjfodne.exe Ncbafoge.exe File created C:\Windows\SysWOW64\Keoaokpd.dll Hihibbjo.exe File created C:\Windows\SysWOW64\Lcmodajm.exe Lpochfji.exe File created C:\Windows\SysWOW64\Bfbghcbm.dll Miaboe32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Phdnngdn.exe File created C:\Windows\SysWOW64\Pbhafkok.dll Npepkf32.exe File created C:\Windows\SysWOW64\Oeheqm32.exe Omqmop32.exe File created C:\Windows\SysWOW64\Aepjgm32.dll Npiiffqe.exe File created C:\Windows\SysWOW64\Hnflfgji.dll Cammjakm.exe File created C:\Windows\SysWOW64\Neoieenp.exe Noeahkfc.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Dpnkdq32.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Elnoopdj.exe File created C:\Windows\SysWOW64\Fllkqn32.exe Fimodc32.exe File created C:\Windows\SysWOW64\Mjokgg32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Nhmofj32.exe Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Jmeede32.exe Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Ebaplnie.exe Enfckp32.exe File opened for modification C:\Windows\SysWOW64\Hjhalefe.exe 8f2351066b9bcc3328392a2fdb8d6300N.exe File created C:\Windows\SysWOW64\Okgaijaj.exe Ohiemobf.exe File opened for modification C:\Windows\SysWOW64\Pkhjph32.exe Pifnhpmi.exe File created C:\Windows\SysWOW64\Jcknij32.dll Dnmaea32.exe File opened for modification C:\Windows\SysWOW64\Lkabjbih.exe Legjmh32.exe File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe File created C:\Windows\SysWOW64\Lncjlq32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Apodoq32.exe Akblfj32.exe File created C:\Windows\SysWOW64\Ckcdlpbd.dll Fqgedh32.exe File created C:\Windows\SysWOW64\Hdjbiheb.exe Hmpjmn32.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Idahjg32.exe File created C:\Windows\SysWOW64\Akepfpcl.exe Albpkc32.exe File opened for modification C:\Windows\SysWOW64\Cnahdi32.exe Coohhlpe.exe File created C:\Windows\SysWOW64\Pnkbkk32.exe Phajna32.exe File created C:\Windows\SysWOW64\Hlblcn32.exe Hicpgc32.exe File created C:\Windows\SysWOW64\Jhndljll.exe Jqglkmlj.exe File created C:\Windows\SysWOW64\Hclnnc32.dll Ffmfchle.exe File created C:\Windows\SysWOW64\Mkohaj32.exe Meepdp32.exe File created C:\Windows\SysWOW64\Hclkag32.dll Gbnhoj32.exe File opened for modification C:\Windows\SysWOW64\Fpbflg32.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Pqlhmf32.dll Hifcgion.exe File created C:\Windows\SysWOW64\Llobhg32.dll Dnonkq32.exe File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe Ddifgk32.exe File created C:\Windows\SysWOW64\Lpepbgbd.exe Likhem32.exe File opened for modification C:\Windows\SysWOW64\Cajjjk32.exe Ckpamabg.exe File created C:\Windows\SysWOW64\Cdaile32.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Nimbkc32.exe Nhmeapmd.exe File created C:\Windows\SysWOW64\Hkpqkcpd.exe Hdehni32.exe File created C:\Windows\SysWOW64\Jabphdjm.dll Dgeenfog.exe File created C:\Windows\SysWOW64\Fdnhih32.exe Fndpmndl.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Galoohke.exe File opened for modification C:\Windows\SysWOW64\Ccblbb32.exe Cdolgfbp.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Bafndi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5184 7128 WerFault.exe 1015 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efepbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenbjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfhbhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poimpapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmeede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaohcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmidnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbocbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgiimng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dojqjdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljmhflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnenlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjnnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhpimhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjknfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomffaag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paihlpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknobkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leenhhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaciefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affikdfn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcehifmk.dll" Jkomneim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Kgflcifg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll" Ocihgnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eplgeokq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoideh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefped32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmfmhll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgflcifg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklliiom.dll" Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomjicei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkobdie.dll" Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefedmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mmmqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjffdalb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceelqcdb.dll" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijnmaj32.dll" Peieba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coiaiakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilmmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnoab32.dll" Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgjojai.dll" Ncbafoge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mniallpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohbhmfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haaaaeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll" Kocgbend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocehc.dll" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpfqchb.dll" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll" Objkmkjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhckcgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgcjdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbcfhibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" Cpmapodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbilm32.dll" Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllkqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgcme32.dll" Badanigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pencqe32.dll" Paihlpfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 1412 4060 8f2351066b9bcc3328392a2fdb8d6300N.exe 84 PID 4060 wrote to memory of 1412 4060 8f2351066b9bcc3328392a2fdb8d6300N.exe 84 PID 4060 wrote to memory of 1412 4060 8f2351066b9bcc3328392a2fdb8d6300N.exe 84 PID 1412 wrote to memory of 456 1412 Hjhalefe.exe 85 PID 1412 wrote to memory of 456 1412 Hjhalefe.exe 85 PID 1412 wrote to memory of 456 1412 Hjhalefe.exe 85 PID 456 wrote to memory of 3516 456 Hpbiip32.exe 86 PID 456 wrote to memory of 3516 456 Hpbiip32.exe 86 PID 456 wrote to memory of 3516 456 Hpbiip32.exe 86 PID 3516 wrote to memory of 4632 3516 Hhiajmod.exe 88 PID 3516 wrote to memory of 4632 3516 Hhiajmod.exe 88 PID 3516 wrote to memory of 4632 3516 Hhiajmod.exe 88 PID 4632 wrote to memory of 556 4632 Hjjnae32.exe 89 PID 4632 wrote to memory of 556 4632 Hjjnae32.exe 89 PID 4632 wrote to memory of 556 4632 Hjjnae32.exe 89 PID 556 wrote to memory of 624 556 Haafcb32.exe 90 PID 556 wrote to memory of 624 556 Haafcb32.exe 90 PID 556 wrote to memory of 624 556 Haafcb32.exe 90 PID 624 wrote to memory of 3416 624 Hhknpmma.exe 91 PID 624 wrote to memory of 3416 624 Hhknpmma.exe 91 PID 624 wrote to memory of 3416 624 Hhknpmma.exe 91 PID 3416 wrote to memory of 4104 3416 Hjlkge32.exe 92 PID 3416 wrote to memory of 4104 3416 Hjlkge32.exe 92 PID 3416 wrote to memory of 4104 3416 Hjlkge32.exe 92 PID 4104 wrote to memory of 3108 4104 Hacbhb32.exe 93 PID 4104 wrote to memory of 3108 4104 Hacbhb32.exe 93 PID 4104 wrote to memory of 3108 4104 Hacbhb32.exe 93 PID 3108 wrote to memory of 4744 3108 Idbodn32.exe 94 PID 3108 wrote to memory of 4744 3108 Idbodn32.exe 94 PID 3108 wrote to memory of 4744 3108 Idbodn32.exe 94 PID 4744 wrote to memory of 2772 4744 Iklgah32.exe 95 PID 4744 wrote to memory of 2772 4744 Iklgah32.exe 95 PID 4744 wrote to memory of 2772 4744 Iklgah32.exe 95 PID 2772 wrote to memory of 3688 2772 Injcmc32.exe 97 PID 2772 wrote to memory of 3688 2772 Injcmc32.exe 97 PID 2772 wrote to memory of 3688 2772 Injcmc32.exe 97 PID 3688 wrote to memory of 1924 3688 Ihphkl32.exe 98 PID 3688 wrote to memory of 1924 3688 Ihphkl32.exe 98 PID 3688 wrote to memory of 1924 3688 Ihphkl32.exe 98 PID 1924 wrote to memory of 1436 1924 Ikndgg32.exe 99 PID 1924 wrote to memory of 1436 1924 Ikndgg32.exe 99 PID 1924 wrote to memory of 1436 1924 Ikndgg32.exe 99 PID 1436 wrote to memory of 3372 1436 Iahlcaol.exe 100 PID 1436 wrote to memory of 3372 1436 Iahlcaol.exe 100 PID 1436 wrote to memory of 3372 1436 Iahlcaol.exe 100 PID 3372 wrote to memory of 1276 3372 Idghpmnp.exe 101 PID 3372 wrote to memory of 1276 3372 Idghpmnp.exe 101 PID 3372 wrote to memory of 1276 3372 Idghpmnp.exe 101 PID 1276 wrote to memory of 3452 1276 Igedlh32.exe 103 PID 1276 wrote to memory of 3452 1276 Igedlh32.exe 103 PID 1276 wrote to memory of 3452 1276 Igedlh32.exe 103 PID 3452 wrote to memory of 2016 3452 Inomhbeq.exe 104 PID 3452 wrote to memory of 2016 3452 Inomhbeq.exe 104 PID 3452 wrote to memory of 2016 3452 Inomhbeq.exe 104 PID 2016 wrote to memory of 1008 2016 Idieem32.exe 105 PID 2016 wrote to memory of 1008 2016 Idieem32.exe 105 PID 2016 wrote to memory of 1008 2016 Idieem32.exe 105 PID 1008 wrote to memory of 2836 1008 Ijfnmc32.exe 106 PID 1008 wrote to memory of 2836 1008 Ijfnmc32.exe 106 PID 1008 wrote to memory of 2836 1008 Ijfnmc32.exe 106 PID 2836 wrote to memory of 4640 2836 Iqpfjnba.exe 107 PID 2836 wrote to memory of 4640 2836 Iqpfjnba.exe 107 PID 2836 wrote to memory of 4640 2836 Iqpfjnba.exe 107 PID 4640 wrote to memory of 3368 4640 Idkbkl32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f2351066b9bcc3328392a2fdb8d6300N.exe"C:\Users\Admin\AppData\Local\Temp\8f2351066b9bcc3328392a2fdb8d6300N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe23⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe24⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe25⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe26⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe27⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe28⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe29⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe30⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe32⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe33⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe34⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe35⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe37⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe38⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe39⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe40⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe43⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe46⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe47⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe48⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe49⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe51⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe52⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe53⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe54⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe57⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3952 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe59⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe61⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe62⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe64⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe65⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe66⤵PID:2868
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe68⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe69⤵PID:2920
-
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe70⤵PID:4376
-
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe71⤵
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe72⤵
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe73⤵PID:3900
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe74⤵PID:4852
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe75⤵PID:4936
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe76⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe77⤵PID:2308
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe78⤵PID:3096
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe79⤵PID:4396
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe80⤵PID:5068
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe81⤵PID:1332
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe83⤵PID:4868
-
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe84⤵PID:3856
-
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe85⤵PID:1252
-
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe86⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe87⤵PID:4716
-
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe88⤵
- Drops file in System32 directory
PID:3144 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe89⤵
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe90⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe91⤵
- Drops file in System32 directory
PID:5216 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe92⤵PID:5260
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe93⤵PID:5304
-
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe94⤵PID:5348
-
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe95⤵PID:5392
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe96⤵
- Modifies registry class
PID:5436 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe97⤵PID:5480
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe98⤵PID:5528
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe99⤵PID:5576
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe100⤵PID:5624
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe101⤵PID:5676
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe103⤵PID:5772
-
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe104⤵PID:5844
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe105⤵
- Drops file in System32 directory
PID:5900 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe106⤵PID:5960
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe107⤵PID:6008
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe108⤵PID:6052
-
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe109⤵PID:6096
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe110⤵PID:5140
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe111⤵PID:5224
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe112⤵PID:5336
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe113⤵PID:5408
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe114⤵
- Drops file in System32 directory
PID:5464 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe115⤵PID:5564
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe116⤵PID:5636
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe117⤵PID:5708
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe119⤵PID:5876
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe120⤵PID:5984
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe121⤵PID:6120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-