Analysis
-
max time kernel
110s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fcc66fc6fc20a8649a7583ef74e2fee0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
fcc66fc6fc20a8649a7583ef74e2fee0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
fcc66fc6fc20a8649a7583ef74e2fee0N.exe
-
Size
59KB
-
MD5
fcc66fc6fc20a8649a7583ef74e2fee0
-
SHA1
10bd7b587eb9899f8402329af0e0dd229b70f6ea
-
SHA256
c79b3b8cdd621316e4a48e49d62ac4501e539ffe9370e789cb569ad272e5d064
-
SHA512
b951e25c26a1b700fd2fd744a173f110b9381b54194fa0a1aa631fa1d9b9dcdc46983df5496d2cc2f42a4b4e702d980c4ed47599e63d5783795965ee0a937295
-
SSDEEP
1536:tWDo47bMS2OEx7hQa7IJwzrHGdIz/pShah:cESzEVh3xwIz/Kah
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdbjok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpikmdbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfejkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpepjppc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnclk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldqdmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbnccki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgpai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cccdeldn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhnpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poqpgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haofdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjppakoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhahppa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goeagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmigfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqephda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogkdpoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiaaba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehbgbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojhomcnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdocobll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgkgpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcoada32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkikkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgnbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doonfomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikldhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alafgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkniahna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hilbah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackeno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdgmggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfmhabq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlipbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogkdpoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejahjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgedk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedfaphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgngom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdnfjfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfmhadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickdcbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbqhnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Embhfngc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikofh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmiifpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhnfbhjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjaodpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchjadaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llaoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaaefo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebepci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldkmnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknlpn32.exe -
Executes dropped EXE 64 IoCs
pid Process 5128 Kipgoiqa.exe 5152 Kpjpkchn.exe 3944 Kbhlgoga.exe 1500 Kibddi32.exe 4760 Kdhhaa32.exe 4572 Lkaqnlfa.exe 5648 Lpoifc32.exe 2300 Ldjegala.exe 2924 Ligmohki.exe 5184 Lpaflb32.exe 6112 Lgknimib.exe 6004 Liijehif.exe 5860 Lpcbabpc.exe 5960 Lgmknl32.exe 1604 Lmgckfom.exe 5868 Lcdkcmmd.exe 5500 Lmipqfmj.exe 1468 Mcfhim32.exe 4620 Mmllfe32.exe 3928 Mdfdcpbd.exe 3444 Mkpmpj32.exe 1904 Mnnile32.exe 1216 Mdhahppa.exe 4004 Mkbieihn.exe 3116 Malabc32.exe 4856 Mcmnilei.exe 5740 Mjgfff32.exe 5256 Mpaocpdc.exe 5708 Mgkgpj32.exe 3472 Mneold32.exe 4524 Mpckhp32.exe 2944 Njlpaeha.exe 640 Nachbbic.exe 1372 Ncddjk32.exe 4332 Njnmge32.exe 2688 Naedhb32.exe 4624 Ncgapjmo.exe 1956 Nkniahna.exe 5000 Nahanb32.exe 948 Ndfnjm32.exe 4508 Ngdjfi32.exe 1048 Njcfbd32.exe 1588 Nqmnon32.exe 3604 Nckjkj32.exe 64 Nkbblg32.exe 1096 Nnaohb32.exe 1480 Oqokdn32.exe 1740 Ogicahop.exe 1824 Ojhomcnc.exe 2040 Odmcjl32.exe 2460 Oglpfh32.exe 3388 Ojjlbc32.exe 5476 Odpppl32.exe 3064 Ojlihc32.exe 548 Oqfaem32.exe 5064 Ogpiagih.exe 3772 Oklebf32.exe 4364 Obfnopin.exe 6136 Ocgjfh32.exe 5548 Ojabcbfi.exe 5496 Onmnda32.exe 5440 Pciglhmi.exe 5540 Pnokiqlo.exe 1788 Pdicfk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fekgjpoh.dll Aimjenof.exe File created C:\Windows\SysWOW64\Gbdiimhb.dll Ebgajg32.exe File created C:\Windows\SysWOW64\Ogedai32.dll Hhghfipb.exe File created C:\Windows\SysWOW64\Cckmcj32.dll Leodob32.exe File opened for modification C:\Windows\SysWOW64\Fpjpna32.exe Fmkdaf32.exe File opened for modification C:\Windows\SysWOW64\Nefllibh.exe Nlnhcc32.exe File created C:\Windows\SysWOW64\Ojnadb32.dll Plnqjane.exe File created C:\Windows\SysWOW64\Qfmmnb32.dll Cgipqemq.exe File opened for modification C:\Windows\SysWOW64\Emmhphgm.exe Efcpcn32.exe File created C:\Windows\SysWOW64\Mkleiaff.dll Fafaabmq.exe File created C:\Windows\SysWOW64\Fhmfnf32.exe Feoibk32.exe File created C:\Windows\SysWOW64\Gknhgo32.exe Gddojd32.exe File opened for modification C:\Windows\SysWOW64\Gdflpdhc.exe Gnldcj32.exe File created C:\Windows\SysWOW64\Beldii32.dll Hkdgmggo.exe File created C:\Windows\SysWOW64\Ldpbpc32.dll Pahecb32.exe File created C:\Windows\SysWOW64\Gepnohhe.dll Hkdpba32.exe File created C:\Windows\SysWOW64\Njfgde32.exe Nggkhj32.exe File created C:\Windows\SysWOW64\Qlgcqpfk.exe Pjigddgg.exe File opened for modification C:\Windows\SysWOW64\Necilc32.exe Nbdlph32.exe File created C:\Windows\SysWOW64\Ljqnnlhk.dll Glnkkhla.exe File created C:\Windows\SysWOW64\Jimnaaon.dll Jciefmgh.exe File created C:\Windows\SysWOW64\Ealhdp32.dll Jnfppfji.exe File opened for modification C:\Windows\SysWOW64\Pghnci32.exe Poafal32.exe File created C:\Windows\SysWOW64\Hglomo32.exe Hdmbpc32.exe File created C:\Windows\SysWOW64\Ooqlle32.dll Kbgnbb32.exe File created C:\Windows\SysWOW64\Fbjbefcf.exe Flpjhlli.exe File opened for modification C:\Windows\SysWOW64\Jnpbfebn.exe Jombkh32.exe File opened for modification C:\Windows\SysWOW64\Achbnigo.exe Alojao32.exe File opened for modification C:\Windows\SysWOW64\Kqdnii32.exe Kkgepb32.exe File opened for modification C:\Windows\SysWOW64\Mdhahppa.exe Mnnile32.exe File created C:\Windows\SysWOW64\Lfjgnffg.exe Lfhjif32.exe File created C:\Windows\SysWOW64\Bclnje32.dll Dankpo32.exe File created C:\Windows\SysWOW64\Kffiam32.dll Idnkga32.exe File created C:\Windows\SysWOW64\Igkiplmm.dll Qjngjj32.exe File created C:\Windows\SysWOW64\Eiibqh32.exe Edlihaje.exe File created C:\Windows\SysWOW64\Olccplmd.dll Ajfmklgk.exe File created C:\Windows\SysWOW64\Onehejhf.dll Dcfplnia.exe File opened for modification C:\Windows\SysWOW64\Pbmcpo32.exe Pkckceki.exe File opened for modification C:\Windows\SysWOW64\Cajiof32.exe Coklcj32.exe File created C:\Windows\SysWOW64\Gaaqmp32.exe Gdnpdlci.exe File created C:\Windows\SysWOW64\Ofpfmnni.exe Odoief32.exe File opened for modification C:\Windows\SysWOW64\Pfleildl.exe Pdkiad32.exe File created C:\Windows\SysWOW64\Klhkndki.exe Kgkben32.exe File created C:\Windows\SysWOW64\Hgfngiah.exe Hdhbknbe.exe File created C:\Windows\SysWOW64\Plmjpk32.exe Pahecb32.exe File created C:\Windows\SysWOW64\Nenhgnai.exe Nndpjc32.exe File created C:\Windows\SysWOW64\Cpandifd.dll Jmhghdfc.exe File opened for modification C:\Windows\SysWOW64\Bgcajlgd.exe Bedenqhq.exe File created C:\Windows\SysWOW64\Okjclh32.dll Lndehbpf.exe File created C:\Windows\SysWOW64\Mefcek32.exe Mbggipbg.exe File created C:\Windows\SysWOW64\Malabc32.exe Mkbieihn.exe File opened for modification C:\Windows\SysWOW64\Obfnopin.exe Oklebf32.exe File created C:\Windows\SysWOW64\Nfobfmpc.exe Nogkdpoa.exe File created C:\Windows\SysWOW64\Mciplkai.dll Klaemeaa.exe File created C:\Windows\SysWOW64\Dglfmb32.exe Dabnphen.exe File created C:\Windows\SysWOW64\Iikjim32.exe Hdoaaf32.exe File opened for modification C:\Windows\SysWOW64\Ekecdikl.exe Edkjgo32.exe File created C:\Windows\SysWOW64\Eiaehf32.dll Ibgcom32.exe File created C:\Windows\SysWOW64\Aifjjg32.dll Hgnkbool.exe File created C:\Windows\SysWOW64\Bddiikda.dll Llaoag32.exe File opened for modification C:\Windows\SysWOW64\Ljoogo32.exe Kgqckc32.exe File created C:\Windows\SysWOW64\Namckpme.exe Mnogodna.exe File created C:\Windows\SysWOW64\Ihenmp32.exe Ibkepfhj.exe File created C:\Windows\SysWOW64\Mpkgcd32.exe Mefcek32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7464 7100 WerFault.exe 1065 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfcmnon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkaqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnmicha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgbme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmblomcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfgde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkcoeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqoomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdidhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcfcghh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmoamli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfmhabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdpeaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pommfmmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaafm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkggkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmalm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnacddlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anajkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanlbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgldkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcpiqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbiaffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdidlad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjdhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgmenoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oopfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldkmnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lciiknmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpmmegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfeafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflpdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmghjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgcnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbgdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfjhpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdjhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmkfnni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnclk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heheogmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhpfhjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbekmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beelig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlneglnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjpojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klaemeaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmigfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plnqjane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piajioic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljenmgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgoboi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbbgdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejndjfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioagaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baegld32.dll" Kkbekmiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdlpl32.dll" Ldjegala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodaag32.dll" Anmgko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odccqedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhqhc32.dll" Labjjgkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khdpihnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgnhk32.dll" Gdqephda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnjmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkchldai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedfaphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ageeincd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deqmampq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhplindj.dll" Ihdgbjlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliihah.dll" Nlcncoqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnidcagn.dll" Pbamknoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdakl32.dll" Cjijamcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cccdeldn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapheokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiibqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebgmiidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdhahppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjocambo.dll" Deqmampq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbdlm32.dll" Iddhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbqpohla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feeenlen.dll" Dbbhogdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpibgg32.dll" Allmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbfgn32.dll" Ilnoqhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmehhfh.dll" Ipdfop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnabbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbgkqef.dll" Ifkkldmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmoegi32.dll" Jfdnbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqgkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkdbpmgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pghnci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciofcloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejombkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdphljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimnaaon.dll" Jciefmgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhlld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfqodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbikgjk.dll" Npdjic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caijkala.dll" Kciqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqaeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmecfckf.dll" Dgglbbaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgfgaj.dll" Fabfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldinmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmapime.dll" Bedenqhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddiikda.dll" Llaoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnocoo32.dll" Mpikmdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkcgc32.dll" Bmjimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpjieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciqloeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqbeehnk.dll" Pccibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Implkk32.dll" Aakcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmfil32.dll" Knkbbcha.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 5128 4128 fcc66fc6fc20a8649a7583ef74e2fee0N.exe 85 PID 4128 wrote to memory of 5128 4128 fcc66fc6fc20a8649a7583ef74e2fee0N.exe 85 PID 4128 wrote to memory of 5128 4128 fcc66fc6fc20a8649a7583ef74e2fee0N.exe 85 PID 5128 wrote to memory of 5152 5128 Kipgoiqa.exe 86 PID 5128 wrote to memory of 5152 5128 Kipgoiqa.exe 86 PID 5128 wrote to memory of 5152 5128 Kipgoiqa.exe 86 PID 5152 wrote to memory of 3944 5152 Kpjpkchn.exe 87 PID 5152 wrote to memory of 3944 5152 Kpjpkchn.exe 87 PID 5152 wrote to memory of 3944 5152 Kpjpkchn.exe 87 PID 3944 wrote to memory of 1500 3944 Kbhlgoga.exe 88 PID 3944 wrote to memory of 1500 3944 Kbhlgoga.exe 88 PID 3944 wrote to memory of 1500 3944 Kbhlgoga.exe 88 PID 1500 wrote to memory of 4760 1500 Kibddi32.exe 89 PID 1500 wrote to memory of 4760 1500 Kibddi32.exe 89 PID 1500 wrote to memory of 4760 1500 Kibddi32.exe 89 PID 4760 wrote to memory of 4572 4760 Kdhhaa32.exe 90 PID 4760 wrote to memory of 4572 4760 Kdhhaa32.exe 90 PID 4760 wrote to memory of 4572 4760 Kdhhaa32.exe 90 PID 4572 wrote to memory of 5648 4572 Lkaqnlfa.exe 92 PID 4572 wrote to memory of 5648 4572 Lkaqnlfa.exe 92 PID 4572 wrote to memory of 5648 4572 Lkaqnlfa.exe 92 PID 5648 wrote to memory of 2300 5648 Lpoifc32.exe 93 PID 5648 wrote to memory of 2300 5648 Lpoifc32.exe 93 PID 5648 wrote to memory of 2300 5648 Lpoifc32.exe 93 PID 2300 wrote to memory of 2924 2300 Ldjegala.exe 94 PID 2300 wrote to memory of 2924 2300 Ldjegala.exe 94 PID 2300 wrote to memory of 2924 2300 Ldjegala.exe 94 PID 2924 wrote to memory of 5184 2924 Ligmohki.exe 95 PID 2924 wrote to memory of 5184 2924 Ligmohki.exe 95 PID 2924 wrote to memory of 5184 2924 Ligmohki.exe 95 PID 5184 wrote to memory of 6112 5184 Lpaflb32.exe 96 PID 5184 wrote to memory of 6112 5184 Lpaflb32.exe 96 PID 5184 wrote to memory of 6112 5184 Lpaflb32.exe 96 PID 6112 wrote to memory of 6004 6112 Lgknimib.exe 97 PID 6112 wrote to memory of 6004 6112 Lgknimib.exe 97 PID 6112 wrote to memory of 6004 6112 Lgknimib.exe 97 PID 6004 wrote to memory of 5860 6004 Liijehif.exe 98 PID 6004 wrote to memory of 5860 6004 Liijehif.exe 98 PID 6004 wrote to memory of 5860 6004 Liijehif.exe 98 PID 5860 wrote to memory of 5960 5860 Lpcbabpc.exe 99 PID 5860 wrote to memory of 5960 5860 Lpcbabpc.exe 99 PID 5860 wrote to memory of 5960 5860 Lpcbabpc.exe 99 PID 5960 wrote to memory of 1604 5960 Lgmknl32.exe 100 PID 5960 wrote to memory of 1604 5960 Lgmknl32.exe 100 PID 5960 wrote to memory of 1604 5960 Lgmknl32.exe 100 PID 1604 wrote to memory of 5868 1604 Lmgckfom.exe 101 PID 1604 wrote to memory of 5868 1604 Lmgckfom.exe 101 PID 1604 wrote to memory of 5868 1604 Lmgckfom.exe 101 PID 5868 wrote to memory of 5500 5868 Lcdkcmmd.exe 102 PID 5868 wrote to memory of 5500 5868 Lcdkcmmd.exe 102 PID 5868 wrote to memory of 5500 5868 Lcdkcmmd.exe 102 PID 5500 wrote to memory of 1468 5500 Lmipqfmj.exe 103 PID 5500 wrote to memory of 1468 5500 Lmipqfmj.exe 103 PID 5500 wrote to memory of 1468 5500 Lmipqfmj.exe 103 PID 1468 wrote to memory of 4620 1468 Mcfhim32.exe 104 PID 1468 wrote to memory of 4620 1468 Mcfhim32.exe 104 PID 1468 wrote to memory of 4620 1468 Mcfhim32.exe 104 PID 4620 wrote to memory of 3928 4620 Mmllfe32.exe 105 PID 4620 wrote to memory of 3928 4620 Mmllfe32.exe 105 PID 4620 wrote to memory of 3928 4620 Mmllfe32.exe 105 PID 3928 wrote to memory of 3444 3928 Mdfdcpbd.exe 106 PID 3928 wrote to memory of 3444 3928 Mdfdcpbd.exe 106 PID 3928 wrote to memory of 3444 3928 Mdfdcpbd.exe 106 PID 3444 wrote to memory of 1904 3444 Mkpmpj32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc66fc6fc20a8649a7583ef74e2fee0N.exe"C:\Users\Admin\AppData\Local\Temp\fcc66fc6fc20a8649a7583ef74e2fee0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Kipgoiqa.exeC:\Windows\system32\Kipgoiqa.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Windows\SysWOW64\Kpjpkchn.exeC:\Windows\system32\Kpjpkchn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5152 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Kdhhaa32.exeC:\Windows\system32\Kdhhaa32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Lkaqnlfa.exeC:\Windows\system32\Lkaqnlfa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Windows\SysWOW64\Ldjegala.exeC:\Windows\system32\Ldjegala.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Ligmohki.exeC:\Windows\system32\Ligmohki.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lpaflb32.exeC:\Windows\system32\Lpaflb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\SysWOW64\Lgknimib.exeC:\Windows\system32\Lgknimib.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Windows\SysWOW64\Liijehif.exeC:\Windows\system32\Liijehif.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6004 -
C:\Windows\SysWOW64\Lpcbabpc.exeC:\Windows\system32\Lpcbabpc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5860 -
C:\Windows\SysWOW64\Lgmknl32.exeC:\Windows\system32\Lgmknl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\SysWOW64\Lmgckfom.exeC:\Windows\system32\Lmgckfom.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Lcdkcmmd.exeC:\Windows\system32\Lcdkcmmd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5868 -
C:\Windows\SysWOW64\Lmipqfmj.exeC:\Windows\system32\Lmipqfmj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5500 -
C:\Windows\SysWOW64\Mcfhim32.exeC:\Windows\system32\Mcfhim32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Mmllfe32.exeC:\Windows\system32\Mmllfe32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Mdfdcpbd.exeC:\Windows\system32\Mdfdcpbd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Mkpmpj32.exeC:\Windows\system32\Mkpmpj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Mnnile32.exeC:\Windows\system32\Mnnile32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Mdhahppa.exeC:\Windows\system32\Mdhahppa.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Mkbieihn.exeC:\Windows\system32\Mkbieihn.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Malabc32.exeC:\Windows\system32\Malabc32.exe26⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe27⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Mjgfff32.exeC:\Windows\system32\Mjgfff32.exe28⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\Mpaocpdc.exeC:\Windows\system32\Mpaocpdc.exe29⤵
- Executes dropped EXE
PID:5256 -
C:\Windows\SysWOW64\Mgkgpj32.exeC:\Windows\system32\Mgkgpj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5708 -
C:\Windows\SysWOW64\Mneold32.exeC:\Windows\system32\Mneold32.exe31⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Mpckhp32.exeC:\Windows\system32\Mpckhp32.exe32⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Njlpaeha.exeC:\Windows\system32\Njlpaeha.exe33⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Nachbbic.exeC:\Windows\system32\Nachbbic.exe34⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ncddjk32.exeC:\Windows\system32\Ncddjk32.exe35⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Njnmge32.exeC:\Windows\system32\Njnmge32.exe36⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Naedhb32.exeC:\Windows\system32\Naedhb32.exe37⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ncgapjmo.exeC:\Windows\system32\Ncgapjmo.exe38⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Nkniahna.exeC:\Windows\system32\Nkniahna.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Nahanb32.exeC:\Windows\system32\Nahanb32.exe40⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ndfnjm32.exeC:\Windows\system32\Ndfnjm32.exe41⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ngdjfi32.exeC:\Windows\system32\Ngdjfi32.exe42⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Njcfbd32.exeC:\Windows\system32\Njcfbd32.exe43⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe44⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Nckjkj32.exeC:\Windows\system32\Nckjkj32.exe45⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Nkbblg32.exeC:\Windows\system32\Nkbblg32.exe46⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Nnaohb32.exeC:\Windows\system32\Nnaohb32.exe47⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Oqokdn32.exeC:\Windows\system32\Oqokdn32.exe48⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Ogicahop.exeC:\Windows\system32\Ogicahop.exe49⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ojhomcnc.exeC:\Windows\system32\Ojhomcnc.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe51⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Oglpfh32.exeC:\Windows\system32\Oglpfh32.exe52⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe53⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Ojlihc32.exeC:\Windows\system32\Ojlihc32.exe55⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Oqfaem32.exeC:\Windows\system32\Oqfaem32.exe56⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ogpiagih.exeC:\Windows\system32\Ogpiagih.exe57⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Oklebf32.exeC:\Windows\system32\Oklebf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772 -
C:\Windows\SysWOW64\Obfnopin.exeC:\Windows\system32\Obfnopin.exe59⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ocgjfh32.exeC:\Windows\system32\Ocgjfh32.exe60⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\Ojabcbfi.exeC:\Windows\system32\Ojabcbfi.exe61⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\SysWOW64\Onmnda32.exeC:\Windows\system32\Onmnda32.exe62⤵
- Executes dropped EXE
PID:5496 -
C:\Windows\SysWOW64\Pciglhmi.exeC:\Windows\system32\Pciglhmi.exe63⤵
- Executes dropped EXE
PID:5440 -
C:\Windows\SysWOW64\Pnokiqlo.exeC:\Windows\system32\Pnokiqlo.exe64⤵
- Executes dropped EXE
PID:5540 -
C:\Windows\SysWOW64\Pdicfk32.exeC:\Windows\system32\Pdicfk32.exe65⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pkckceki.exeC:\Windows\system32\Pkckceki.exe66⤵
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe67⤵PID:3332
-
C:\Windows\SysWOW64\Pdkplj32.exeC:\Windows\system32\Pdkplj32.exe68⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Pjhhdapa.exeC:\Windows\system32\Pjhhdapa.exe69⤵PID:6104
-
C:\Windows\SysWOW64\Pqbqqk32.exeC:\Windows\system32\Pqbqqk32.exe70⤵PID:6068
-
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe71⤵PID:6088
-
C:\Windows\SysWOW64\Pbamknoq.exeC:\Windows\system32\Pbamknoq.exe72⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Pccibf32.exeC:\Windows\system32\Pccibf32.exe73⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pkjacdea.exeC:\Windows\system32\Pkjacdea.exe74⤵PID:5492
-
C:\Windows\SysWOW64\Qqgjlkch.exeC:\Windows\system32\Qqgjlkch.exe75⤵PID:5784
-
C:\Windows\SysWOW64\Qklniccn.exeC:\Windows\system32\Qklniccn.exe76⤵PID:2708
-
C:\Windows\SysWOW64\Qnkjeobb.exeC:\Windows\system32\Qnkjeobb.exe77⤵PID:3972
-
C:\Windows\SysWOW64\Anmgko32.exeC:\Windows\system32\Anmgko32.exe78⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Aakcgj32.exeC:\Windows\system32\Aakcgj32.exe79⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Akahdc32.exeC:\Windows\system32\Akahdc32.exe80⤵PID:4692
-
C:\Windows\SysWOW64\Anodpn32.exeC:\Windows\system32\Anodpn32.exe81⤵PID:2128
-
C:\Windows\SysWOW64\Aghhidem.exeC:\Windows\system32\Aghhidem.exe82⤵PID:5684
-
C:\Windows\SysWOW64\Aelibh32.exeC:\Windows\system32\Aelibh32.exe83⤵PID:5368
-
C:\Windows\SysWOW64\Akeaobkc.exeC:\Windows\system32\Akeaobkc.exe84⤵PID:4212
-
C:\Windows\SysWOW64\Aabigiik.exeC:\Windows\system32\Aabigiik.exe85⤵PID:540
-
C:\Windows\SysWOW64\Abbfalpn.exeC:\Windows\system32\Abbfalpn.exe86⤵PID:924
-
C:\Windows\SysWOW64\Bjmkfnni.exeC:\Windows\system32\Bjmkfnni.exe87⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Bhakobmb.exeC:\Windows\system32\Bhakobmb.exe88⤵PID:5632
-
C:\Windows\SysWOW64\Bjpgknlf.exeC:\Windows\system32\Bjpgknlf.exe89⤵PID:4600
-
C:\Windows\SysWOW64\Beelig32.exeC:\Windows\system32\Beelig32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Windows\SysWOW64\Bbilbk32.exeC:\Windows\system32\Bbilbk32.exe91⤵PID:4980
-
C:\Windows\SysWOW64\Beghnf32.exeC:\Windows\system32\Beghnf32.exe92⤵PID:5732
-
C:\Windows\SysWOW64\Bnpmglpj.exeC:\Windows\system32\Bnpmglpj.exe93⤵PID:1532
-
C:\Windows\SysWOW64\Bhhapafk.exeC:\Windows\system32\Bhhapafk.exe94⤵PID:1544
-
C:\Windows\SysWOW64\Belbifed.exeC:\Windows\system32\Belbifed.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Cjijamcl.exeC:\Windows\system32\Cjijamcl.exe96⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Cacbng32.exeC:\Windows\system32\Cacbng32.exe97⤵
- Modifies registry class
PID:3904 -
C:\Windows\SysWOW64\Chmkka32.exeC:\Windows\system32\Chmkka32.exe98⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\Cdckpbhi.exeC:\Windows\system32\Cdckpbhi.exe99⤵PID:1504
-
C:\Windows\SysWOW64\Coipmkho.exeC:\Windows\system32\Coipmkho.exe100⤵PID:6044
-
C:\Windows\SysWOW64\Coklcj32.exeC:\Windows\system32\Coklcj32.exe101⤵
- Drops file in System32 directory
PID:3172 -
C:\Windows\SysWOW64\Cajiof32.exeC:\Windows\system32\Cajiof32.exe102⤵PID:368
-
C:\Windows\SysWOW64\Cdkaqa32.exeC:\Windows\system32\Cdkaqa32.exe103⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Dkdjmk32.exeC:\Windows\system32\Dkdjmk32.exe104⤵PID:4324
-
C:\Windows\SysWOW64\Dejnkd32.exeC:\Windows\system32\Dejnkd32.exe105⤵PID:3884
-
C:\Windows\SysWOW64\Dobbcipe.exeC:\Windows\system32\Dobbcipe.exe106⤵PID:5936
-
C:\Windows\SysWOW64\Dlfcmnon.exeC:\Windows\system32\Dlfcmnon.exe107⤵
- System Location Discovery: System Language Discovery
PID:4400 -
C:\Windows\SysWOW64\Dacked32.exeC:\Windows\system32\Dacked32.exe108⤵PID:3612
-
C:\Windows\SysWOW64\Ddahap32.exeC:\Windows\system32\Ddahap32.exe109⤵PID:3552
-
C:\Windows\SysWOW64\Dlipbm32.exeC:\Windows\system32\Dlipbm32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Dbbhogdh.exeC:\Windows\system32\Dbbhogdh.exe111⤵
- Modifies registry class
PID:4520 -
C:\Windows\SysWOW64\Daehkd32.exeC:\Windows\system32\Daehkd32.exe112⤵PID:5608
-
C:\Windows\SysWOW64\Dhppgnbp.exeC:\Windows\system32\Dhppgnbp.exe113⤵PID:4216
-
C:\Windows\SysWOW64\Ddfalohd.exeC:\Windows\system32\Ddfalohd.exe114⤵PID:4444
-
C:\Windows\SysWOW64\Ehbmmn32.exeC:\Windows\system32\Ehbmmn32.exe115⤵PID:1212
-
C:\Windows\SysWOW64\Ebgajg32.exeC:\Windows\system32\Ebgajg32.exe116⤵
- Drops file in System32 directory
PID:4924 -
C:\Windows\SysWOW64\Eefnfb32.exeC:\Windows\system32\Eefnfb32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Elpfclfc.exeC:\Windows\system32\Elpfclfc.exe118⤵PID:4636
-
C:\Windows\SysWOW64\Eamnkc32.exeC:\Windows\system32\Eamnkc32.exe119⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Edkjgo32.exeC:\Windows\system32\Edkjgo32.exe120⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Ekecdikl.exeC:\Windows\system32\Ekecdikl.exe121⤵PID:1444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-