Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2024 06:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ccf378e5ba4694df45c9decbb0f76ad0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ccf378e5ba4694df45c9decbb0f76ad0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ccf378e5ba4694df45c9decbb0f76ad0N.exe
-
Size
80KB
-
MD5
ccf378e5ba4694df45c9decbb0f76ad0
-
SHA1
0decefde17d275fe0a6c739f128f746871b67bf9
-
SHA256
c9d1c3c8cde146dc4690cfa3d7ec6372ea15ccc5d3e702e4ef6ccfe67c0f95fe
-
SHA512
c85444c6217d54d13af906143eb007cd3a556e3b4773576510d8aa8b7f335a0532db386d6b79d47315e1a8340e17a9447b4d0100bce04ffca4785c8bb7a59708
-
SSDEEP
1536:wvbKsoZeezc85frhUCXIHzgIbGoiVDDN+zL20gJi1i9:qbK7Uac8pr2CXIHzgg7iV3gzL20WKS
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngcje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcekpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boipmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maeachag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgbhfbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnplfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fonnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeicejia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdciiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npedmdab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkomneim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhimica.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcpahpmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdccbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglpibgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcogje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocohmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggfnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpfjnba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjnqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgjndno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjljpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifleoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfjma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafcqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfihkqm.exe -
Executes dropped EXE 64 IoCs
pid Process 4396 Fajnfl32.exe 3500 Fhdfbfdh.exe 1928 Fggfnc32.exe 2672 Fonnop32.exe 1456 Fehfljca.exe 4644 Fhgbhfbe.exe 3936 Foqkdp32.exe 3096 Gekcaj32.exe 4556 Gglpibgm.exe 5028 Gnfhfl32.exe 2128 Gdppbfff.exe 4440 Ggnlobej.exe 3152 Goedpofl.exe 5056 Gepmlimi.exe 5104 Ggqida32.exe 4568 Gohaeo32.exe 4768 Gafmaj32.exe 4720 Gddinf32.exe 3580 Ggcfja32.exe 3064 Gojnko32.exe 3620 Gnmnfkia.exe 1072 Gfdfgiid.exe 4940 Hakgmjoh.exe 1472 Hdicienl.exe 2244 Hkckeo32.exe 2476 Hnagak32.exe 4068 Hdlpneli.exe 1408 Hhgloc32.exe 3596 Hgjljpkm.exe 3056 Hoadkn32.exe 804 Hbpphi32.exe 4128 Hhihdcbp.exe 2984 Hocqam32.exe 4476 Hnfamjqg.exe 772 Hfningai.exe 1912 Hhlejcpm.exe 1612 Hgoeep32.exe 2080 Hninbj32.exe 2152 Hdbfodfa.exe 4424 Hgabkoee.exe 2724 Hkmnln32.exe 2132 Inkjhi32.exe 2196 Idebdcdo.exe 4852 Ihqoeb32.exe 2616 Ikokan32.exe 1776 Inmgmijo.exe 2412 Idgojc32.exe 2944 Iickkbje.exe 2436 Iomcgl32.exe 2688 Ifgldfio.exe 1460 Idjlpc32.exe 4816 Ighhln32.exe 1444 Ikcdlmgf.exe 5000 Inbqhhfj.exe 1288 Ifihif32.exe 3336 Iigdfa32.exe 5044 Ikfabm32.exe 4632 Ioambknl.exe 2728 Indmnh32.exe 380 Ifleoe32.exe 4364 Ienekbld.exe 2232 Igmagnkg.exe 5004 Jkhngl32.exe 4344 Jodjhkkj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File opened for modification C:\Windows\SysWOW64\Hdbfodfa.exe Hninbj32.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bhamkipi.exe File created C:\Windows\SysWOW64\Idhnkf32.exe Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Nmenca32.exe Njfagf32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe Odalmibl.exe File created C:\Windows\SysWOW64\Dclkee32.exe Dannij32.exe File created C:\Windows\SysWOW64\Djfkblnn.dll Hgelek32.exe File opened for modification C:\Windows\SysWOW64\Lqndhcdc.exe Lnohlgep.exe File opened for modification C:\Windows\SysWOW64\Qhlkilba.exe Pemomqcn.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Mkohaj32.exe File created C:\Windows\SysWOW64\Lbdjiqhc.dll Efhlhh32.exe File opened for modification C:\Windows\SysWOW64\Manmoq32.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Gppcmeem.exe Gifkpknp.exe File created C:\Windows\SysWOW64\Kofkbk32.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Fligqhga.exe File created C:\Windows\SysWOW64\Ppihoe32.dll Glkmmefl.exe File created C:\Windows\SysWOW64\Cgnomg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjhacf32.exe Fbajbi32.exe File opened for modification C:\Windows\SysWOW64\Bfbaonae.exe Bcddcbab.exe File opened for modification C:\Windows\SysWOW64\Bcfahbpo.exe Bkoigdom.exe File created C:\Windows\SysWOW64\Dbqpfg32.dll Jljbeali.exe File opened for modification C:\Windows\SysWOW64\Qhjmdp32.exe Qpcecb32.exe File created C:\Windows\SysWOW64\Onkidm32.exe Nfcabp32.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Opnbae32.exe File created C:\Windows\SysWOW64\Pokhnl32.dll Lfhnaa32.exe File opened for modification C:\Windows\SysWOW64\Miofjepg.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Dlieda32.exe Djhimica.exe File created C:\Windows\SysWOW64\Lekmnajj.exe Lmdemd32.exe File created C:\Windows\SysWOW64\Qpcecb32.exe Qobhkjdi.exe File created C:\Windows\SysWOW64\Hqgimkfi.dll Faenpf32.exe File opened for modification C:\Windows\SysWOW64\Neafjdkn.exe Nbcjnilj.exe File opened for modification C:\Windows\SysWOW64\Efhlhh32.exe Eciplm32.exe File created C:\Windows\SysWOW64\Fbelcblk.exe Flkdfh32.exe File opened for modification C:\Windows\SysWOW64\Gihgfk32.exe Gemkelcd.exe File opened for modification C:\Windows\SysWOW64\Klfjijgq.exe Kelalp32.exe File opened for modification C:\Windows\SysWOW64\Hjedffig.exe Hkbdki32.exe File opened for modification C:\Windows\SysWOW64\Lfhnaa32.exe Llbidimc.exe File created C:\Windows\SysWOW64\Hkbdki32.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Adhdjpjf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nhpbfpka.exe Neafjdkn.exe File opened for modification C:\Windows\SysWOW64\Mjahlgpf.exe Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Albpkc32.exe Aamknj32.exe File opened for modification C:\Windows\SysWOW64\Fnnjmbpm.exe Fmmmfj32.exe File created C:\Windows\SysWOW64\Ighhln32.exe Idjlpc32.exe File created C:\Windows\SysWOW64\Moqkim32.dll Hhknpmma.exe File created C:\Windows\SysWOW64\Melmcj32.dll Oehlkc32.exe File created C:\Windows\SysWOW64\Dnbbhnma.dll Jdmgfedl.exe File created C:\Windows\SysWOW64\Lqndhcdc.exe Lnohlgep.exe File opened for modification C:\Windows\SysWOW64\Ighhln32.exe Idjlpc32.exe File created C:\Windows\SysWOW64\Niklpj32.exe Nlglfe32.exe File created C:\Windows\SysWOW64\Gdmmbq32.exe Gaopfe32.exe File created C:\Windows\SysWOW64\Jofbdcmb.dll Polppg32.exe File created C:\Windows\SysWOW64\Jjdjoane.exe Jkaicd32.exe File created C:\Windows\SysWOW64\Ebkibb32.dll Okedcjcm.exe File created C:\Windows\SysWOW64\Dcnqpo32.exe Dmdhcddh.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Ahbjoe32.exe File created C:\Windows\SysWOW64\Cohkokgj.exe Chnbbqpn.exe File opened for modification C:\Windows\SysWOW64\Mahnhhod.exe Mjneln32.exe File opened for modification C:\Windows\SysWOW64\Ajndioga.exe Qebhhp32.exe File created C:\Windows\SysWOW64\Jdblhj32.dll Flkdfh32.exe File created C:\Windows\SysWOW64\Mpolbbim.dll Nqpcjj32.exe File created C:\Windows\SysWOW64\Mlbbkfoq.exe Mehjol32.exe File opened for modification C:\Windows\SysWOW64\Dihlbf32.exe Dfjpfj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6148 7096 Process not Found 1177 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfendmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phigif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifihif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggcnoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpcjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfpbmfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbped32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqida32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojjcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqkad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neafjdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngkqbgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdemd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeicejia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbagk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikokan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmipblaq.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diffglam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcfggkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeekkafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfdlg32.dll" Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecgdnkl.dll" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcqdoab.dll" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdbhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddmhpl.dll" Lmmolepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" Hoaojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdjinjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbnqkga.dll" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajlbmed.dll" Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folnlh32.dll" Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbffmfi.dll" Kfqgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonhqi32.dll" Aglnbhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffpglpg.dll" Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpbfpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcamf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbkkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgbnc32.dll" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqndhcdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chglab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgdjg32.dll" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdjbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kelalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idajkk32.dll" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cfkmkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmennnni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdjoane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcknj32.dll" Jicdap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3508 wrote to memory of 4396 3508 ccf378e5ba4694df45c9decbb0f76ad0N.exe 83 PID 3508 wrote to memory of 4396 3508 ccf378e5ba4694df45c9decbb0f76ad0N.exe 83 PID 3508 wrote to memory of 4396 3508 ccf378e5ba4694df45c9decbb0f76ad0N.exe 83 PID 4396 wrote to memory of 3500 4396 Fajnfl32.exe 84 PID 4396 wrote to memory of 3500 4396 Fajnfl32.exe 84 PID 4396 wrote to memory of 3500 4396 Fajnfl32.exe 84 PID 3500 wrote to memory of 1928 3500 Fhdfbfdh.exe 85 PID 3500 wrote to memory of 1928 3500 Fhdfbfdh.exe 85 PID 3500 wrote to memory of 1928 3500 Fhdfbfdh.exe 85 PID 1928 wrote to memory of 2672 1928 Fggfnc32.exe 86 PID 1928 wrote to memory of 2672 1928 Fggfnc32.exe 86 PID 1928 wrote to memory of 2672 1928 Fggfnc32.exe 86 PID 2672 wrote to memory of 1456 2672 Fonnop32.exe 87 PID 2672 wrote to memory of 1456 2672 Fonnop32.exe 87 PID 2672 wrote to memory of 1456 2672 Fonnop32.exe 87 PID 1456 wrote to memory of 4644 1456 Fehfljca.exe 88 PID 1456 wrote to memory of 4644 1456 Fehfljca.exe 88 PID 1456 wrote to memory of 4644 1456 Fehfljca.exe 88 PID 4644 wrote to memory of 3936 4644 Fhgbhfbe.exe 90 PID 4644 wrote to memory of 3936 4644 Fhgbhfbe.exe 90 PID 4644 wrote to memory of 3936 4644 Fhgbhfbe.exe 90 PID 3936 wrote to memory of 3096 3936 Foqkdp32.exe 91 PID 3936 wrote to memory of 3096 3936 Foqkdp32.exe 91 PID 3936 wrote to memory of 3096 3936 Foqkdp32.exe 91 PID 3096 wrote to memory of 4556 3096 Gekcaj32.exe 93 PID 3096 wrote to memory of 4556 3096 Gekcaj32.exe 93 PID 3096 wrote to memory of 4556 3096 Gekcaj32.exe 93 PID 4556 wrote to memory of 5028 4556 Gglpibgm.exe 94 PID 4556 wrote to memory of 5028 4556 Gglpibgm.exe 94 PID 4556 wrote to memory of 5028 4556 Gglpibgm.exe 94 PID 5028 wrote to memory of 2128 5028 Gnfhfl32.exe 95 PID 5028 wrote to memory of 2128 5028 Gnfhfl32.exe 95 PID 5028 wrote to memory of 2128 5028 Gnfhfl32.exe 95 PID 2128 wrote to memory of 4440 2128 Gdppbfff.exe 96 PID 2128 wrote to memory of 4440 2128 Gdppbfff.exe 96 PID 2128 wrote to memory of 4440 2128 Gdppbfff.exe 96 PID 4440 wrote to memory of 3152 4440 Ggnlobej.exe 97 PID 4440 wrote to memory of 3152 4440 Ggnlobej.exe 97 PID 4440 wrote to memory of 3152 4440 Ggnlobej.exe 97 PID 3152 wrote to memory of 5056 3152 Goedpofl.exe 99 PID 3152 wrote to memory of 5056 3152 Goedpofl.exe 99 PID 3152 wrote to memory of 5056 3152 Goedpofl.exe 99 PID 5056 wrote to memory of 5104 5056 Gepmlimi.exe 100 PID 5056 wrote to memory of 5104 5056 Gepmlimi.exe 100 PID 5056 wrote to memory of 5104 5056 Gepmlimi.exe 100 PID 5104 wrote to memory of 4568 5104 Ggqida32.exe 101 PID 5104 wrote to memory of 4568 5104 Ggqida32.exe 101 PID 5104 wrote to memory of 4568 5104 Ggqida32.exe 101 PID 4568 wrote to memory of 4768 4568 Gohaeo32.exe 102 PID 4568 wrote to memory of 4768 4568 Gohaeo32.exe 102 PID 4568 wrote to memory of 4768 4568 Gohaeo32.exe 102 PID 4768 wrote to memory of 4720 4768 Gafmaj32.exe 103 PID 4768 wrote to memory of 4720 4768 Gafmaj32.exe 103 PID 4768 wrote to memory of 4720 4768 Gafmaj32.exe 103 PID 4720 wrote to memory of 3580 4720 Gddinf32.exe 104 PID 4720 wrote to memory of 3580 4720 Gddinf32.exe 104 PID 4720 wrote to memory of 3580 4720 Gddinf32.exe 104 PID 3580 wrote to memory of 3064 3580 Ggcfja32.exe 105 PID 3580 wrote to memory of 3064 3580 Ggcfja32.exe 105 PID 3580 wrote to memory of 3064 3580 Ggcfja32.exe 105 PID 3064 wrote to memory of 3620 3064 Gojnko32.exe 106 PID 3064 wrote to memory of 3620 3064 Gojnko32.exe 106 PID 3064 wrote to memory of 3620 3064 Gojnko32.exe 106 PID 3620 wrote to memory of 1072 3620 Gnmnfkia.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccf378e5ba4694df45c9decbb0f76ad0N.exe"C:\Users\Admin\AppData\Local\Temp\ccf378e5ba4694df45c9decbb0f76ad0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe23⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe24⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe25⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe26⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe27⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe28⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe31⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe32⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe33⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe34⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe35⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe36⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe38⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe40⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe41⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe42⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe43⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe44⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe45⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe47⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe48⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe49⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe51⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe54⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe55⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe57⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe58⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe59⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe60⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe62⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe64⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe65⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe66⤵PID:3928
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe67⤵PID:1212
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe68⤵PID:4020
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe69⤵PID:332
-
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe70⤵PID:744
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe71⤵PID:1360
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe72⤵PID:1764
-
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe73⤵PID:2148
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe74⤵PID:624
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe75⤵PID:1496
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe76⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe77⤵PID:1424
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe78⤵PID:1052
-
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe79⤵PID:4796
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe80⤵PID:1300
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe81⤵
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe82⤵PID:3160
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe83⤵PID:956
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe84⤵PID:3904
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe85⤵PID:1724
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe87⤵PID:1012
-
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe89⤵PID:3328
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe90⤵PID:3464
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe91⤵PID:1628
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe92⤵PID:1624
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe94⤵PID:2612
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe95⤵PID:224
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe96⤵
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe97⤵PID:3648
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe98⤵PID:760
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe99⤵PID:892
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe100⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe101⤵PID:860
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe102⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe103⤵
- Drops file in System32 directory
PID:3796 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe104⤵PID:5152
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe105⤵PID:5196
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe106⤵PID:5240
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe107⤵PID:5300
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe108⤵PID:5344
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe109⤵PID:5416
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe110⤵PID:5484
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe111⤵PID:5536
-
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe112⤵PID:5584
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe114⤵PID:5708
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe115⤵PID:5772
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe116⤵PID:5828
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe117⤵PID:5880
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe118⤵PID:5924
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe119⤵PID:5976
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe120⤵PID:6024
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe121⤵PID:6068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-