Analysis
-
max time kernel
110s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5133c737803df27ec90171b28e58250N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b5133c737803df27ec90171b28e58250N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b5133c737803df27ec90171b28e58250N.exe
-
Size
56KB
-
MD5
b5133c737803df27ec90171b28e58250
-
SHA1
cb2c1fdb47da69bc426db7d170363ac627c112af
-
SHA256
c03442eda27096f0186604793535bedb7b9c2fd28a4458652a5e03227401b5e7
-
SHA512
cbfc09532f063ec4c803b497573f95bdd8612bffc149e3ccf580dd17e0f0ebf730ad4f50c796c8faae9aca7fb3503bcd0ea822dc690000a062d5bd47fbf76118
-
SSDEEP
768:lAC+elMebcDJLTqO4w8YW0DWztnLQEPEzdkSqY5AJMYOaE3TqM03c0SB0/1H5xX3:lAfhtJLmO46Wrzd9PEJXkO5TL033iWF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhndf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkdnfjfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbipg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaclhcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djaoco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkclecml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhjdpgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhekpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmmikff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifcdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapbfeih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkelo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpfac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikncjef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljnjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leaqebil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geobihen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpjlcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekecdikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokihk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmijacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfcqilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdelnpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklokbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clomlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgkkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkiiodeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcigqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpffgkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdldih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldlamajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcjkko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehafbhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapbfeih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggfkhab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojiehm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epldmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljecjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojeeimf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhpfhjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopddqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcjjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmdcnbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jombkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogmag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njebgdpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefjpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqlgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkgend32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpbej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclcagkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcienm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmmcaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cahkjini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjohpfk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaip32.exe -
Executes dropped EXE 64 IoCs
pid Process 5176 Kikncjef.exe 5524 Kmgjdi32.exe 3948 Kpefpd32.exe 3144 Kbcblp32.exe 2096 Kfonmncp.exe 5648 Kjkjnm32.exe 2300 Kmifjh32.exe 4324 Kpgcfd32.exe 5984 Kdcofbbi.exe 5880 Kfakbnam.exe 6068 Kkmgcm32.exe 5808 Kmkcohij.exe 5940 Kpjpkchn.exe 6116 Kbhlgoga.exe 5868 Kfdhhn32.exe 5492 Kibddi32.exe 4960 Kailef32.exe 456 Kpllacfk.exe 3968 Kbjhmoeo.exe 3444 Lmpmjgee.exe 5048 Lpoifc32.exe 3008 Lghacmle.exe 2656 Lmbipg32.exe 1028 Ldlamajo.exe 5612 Lgknimib.exe 5360 Lkfjik32.exe 3660 Lapbfeih.exe 4212 Ldonbq32.exe 2380 Lgmknl32.exe 4232 Lilgjh32.exe 3224 Lpeoganq.exe 1420 Lgpgdl32.exe 2844 Lincpg32.exe 4624 Laelad32.exe 5456 Ldchmpdg.exe 5348 Mgbdilck.exe 376 Mippegbn.exe 2932 Maghgdcq.exe 4852 Mpjhba32.exe 2216 Mcienm32.exe 732 Mgdqokah.exe 4336 Mibmkfql.exe 1672 Mpmehq32.exe 756 Mckadl32.exe 4236 Miejqf32.exe 2260 Malabc32.exe 2940 Mpobmqff.exe 3228 Mcmnilei.exe 3452 Mkdfkiel.exe 3904 Mncbgdeo.exe 5016 Mpaocpdc.exe 4472 Mgkgpj32.exe 1684 Mkgcpi32.exe 744 Mneold32.exe 4420 Mpckhp32.exe 5528 Ndoginji.exe 2600 Ngncejim.exe 5656 Nkipfh32.exe 5132 Nnglbd32.exe 5136 Nachbbic.exe 6012 Npfhno32.exe 5196 Ncddjk32.exe 5860 Ngppkigk.exe 5124 Njnmge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njebgdpf.exe Njebgdpf.exe File created C:\Windows\SysWOW64\Ihhahhfl.dll Jkgmie32.exe File created C:\Windows\SysWOW64\Niodmbih.exe Nagmldif.exe File opened for modification C:\Windows\SysWOW64\Mibmkfql.exe Mgdqokah.exe File created C:\Windows\SysWOW64\Okihmfcc.exe Ocbqkica.exe File created C:\Windows\SysWOW64\Idgfae32.dll Amhcbd32.exe File created C:\Windows\SysWOW64\Bnjmaf32.exe Bebhiajc.exe File created C:\Windows\SysWOW64\Nedfaphg.exe Ngaffc32.exe File opened for modification C:\Windows\SysWOW64\Pfleildl.exe Plcapg32.exe File opened for modification C:\Windows\SysWOW64\Oeblhghk.exe Occpllig.exe File opened for modification C:\Windows\SysWOW64\Pedhng32.exe Pojpam32.exe File opened for modification C:\Windows\SysWOW64\Ppjmkp32.exe Pipdnfoa.exe File created C:\Windows\SysWOW64\Aonglp32.dll Efhiomlk.exe File created C:\Windows\SysWOW64\Bfpaqcnh.exe Bqchhlpa.exe File created C:\Windows\SysWOW64\Acfppodi.dll Oihgcqan.exe File created C:\Windows\SysWOW64\Pifcdo32.exe Paolca32.exe File created C:\Windows\SysWOW64\Hnnage32.dll Ieeoki32.exe File created C:\Windows\SysWOW64\Epmlkoqk.dll Bqchhlpa.exe File created C:\Windows\SysWOW64\Cgpfac32.exe Cpinpf32.exe File created C:\Windows\SysWOW64\Ibhghgnn.dll Cgbcgc32.exe File created C:\Windows\SysWOW64\Ghigkc32.dll Oicnha32.exe File created C:\Windows\SysWOW64\Aepifpaa.dll Ibipem32.exe File created C:\Windows\SysWOW64\Lmdokp32.exe Lbokng32.exe File opened for modification C:\Windows\SysWOW64\Hfokpf32.exe Hbdoogob.exe File created C:\Windows\SysWOW64\Dmqblbhh.dll Nhmbhehd.exe File created C:\Windows\SysWOW64\Ihhjaocg.dll Gkigai32.exe File created C:\Windows\SysWOW64\Ponddm32.dll Hpclkncc.exe File created C:\Windows\SysWOW64\Jbbpmk32.dll Pbhjdpgk.exe File created C:\Windows\SysWOW64\Mdcacj32.exe Mpgebkhb.exe File created C:\Windows\SysWOW64\Bhnimg32.dll Bmaonl32.exe File created C:\Windows\SysWOW64\Ghjken32.exe Gpccdp32.exe File opened for modification C:\Windows\SysWOW64\Gecldg32.exe Gknhgo32.exe File opened for modification C:\Windows\SysWOW64\Njfnok32.exe Nhhbbp32.exe File created C:\Windows\SysWOW64\Pgmhaglc.dll Kikfjg32.exe File created C:\Windows\SysWOW64\Agoojcoe.exe Anfjamhe.exe File created C:\Windows\SysWOW64\Ieobag32.exe Ielelhig.exe File created C:\Windows\SysWOW64\Bopljh32.exe Bmaonl32.exe File created C:\Windows\SysWOW64\Eiibqh32.exe Ehgeipcn.exe File opened for modification C:\Windows\SysWOW64\Ggkokkkf.exe Gdlboolb.exe File created C:\Windows\SysWOW64\Plmjpk32.exe Pecacacm.exe File opened for modification C:\Windows\SysWOW64\Npheconk.exe Naedhb32.exe File created C:\Windows\SysWOW64\Anfjamhe.exe Aenehh32.exe File created C:\Windows\SysWOW64\Cbpbcjdn.exe Cndfbk32.exe File opened for modification C:\Windows\SysWOW64\Dhhcli32.exe Dfhgbf32.exe File created C:\Windows\SysWOW64\Pghnci32.exe Poafal32.exe File created C:\Windows\SysWOW64\Ddfhhg32.dll Qpelgn32.exe File created C:\Windows\SysWOW64\Fdcfcghh.exe Fmjnfm32.exe File created C:\Windows\SysWOW64\Amepbnjk.exe Ajgcfbjg.exe File opened for modification C:\Windows\SysWOW64\Amepbnjk.exe Ajgcfbjg.exe File created C:\Windows\SysWOW64\Oqcgqfoj.dll Bcikeg32.exe File created C:\Windows\SysWOW64\Capnmn32.dll Njfnok32.exe File created C:\Windows\SysWOW64\Lgepmh32.dll Kihjcd32.exe File created C:\Windows\SysWOW64\Kfngbhpd.exe Kcpkfl32.exe File opened for modification C:\Windows\SysWOW64\Mfnjoo32.exe Lnganbnc.exe File created C:\Windows\SysWOW64\Cjapld32.dll Nlgacd32.exe File created C:\Windows\SysWOW64\Ohkoic32.exe Oembmh32.exe File opened for modification C:\Windows\SysWOW64\Ehclna32.exe Epldmcfa.exe File created C:\Windows\SysWOW64\Kifiqc32.dll Ogpiagih.exe File opened for modification C:\Windows\SysWOW64\Ikadnb32.exe Ibipem32.exe File created C:\Windows\SysWOW64\Mmpogo32.exe Meigea32.exe File opened for modification C:\Windows\SysWOW64\Iddhab32.exe Ibfleg32.exe File created C:\Windows\SysWOW64\Dflicofh.exe Dpbafe32.exe File created C:\Windows\SysWOW64\Dfofhodf.exe Dcpjlcdb.exe File created C:\Windows\SysWOW64\Njikdkeo.exe Nhjohpfk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4600 5328 WerFault.exe 915 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negcgofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcaeibh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjkfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkigai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgecoegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maegpgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kailef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqfig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfphie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfofhodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjcndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkbcoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgeipcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agfkdgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabdknij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgaam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemcga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfggabhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbimdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noenop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbgohne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdffqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkcco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogchkjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objmfmab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpeoganq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbfggge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbahcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfhnkhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldgjlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjldkhjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclnemjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdekecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgipqemq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcienm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqagjneq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollkohcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfleildl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkehhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijdipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbokng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggnhmfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghcpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfipdpbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkmfdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecldg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcikeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipolgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhndfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahejfpeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcofbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifinfd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpogji32.dll" Bfpaqcnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmgmddj.dll" Olipel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjknmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdhidp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfnanka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianmek32.dll" Knieldjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naqfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiabjo32.dll" Acjpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgmpjjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekkhkbe.dll" Nlhgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gheijfoh.dll" Hoqjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jinqco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcmnilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegkkjng.dll" Pclcagkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgfck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjpnbak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Megiqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbdoogob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnganbnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdaaick.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfjmgll.dll" Lmpmjgee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onehcbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcopbclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekobedl.dll" Eandfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjlhfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckckdncc.dll" Pkgend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcqbnm.dll" Afehokla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnfgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdfkiel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpffgkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lohfoedk.dll" Ocngpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkckceki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiejcdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkniahna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgpmjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdppa32.dll" Bqhbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfajopi.dll" Jgecoegf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidamhkf.dll" Fdcpiqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkaflm32.dll" Lbfghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpkgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlimhf32.dll" Noenop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dghqkboa.dll" Mhcigqlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madmgd32.dll" Mpgebkhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhlki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndnnllk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajbhbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanafo32.dll" Igbnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nachbbic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbhjdpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmqh32.dll" Qmmdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gecldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkqip32.dll" Agfkdgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boodaich.dll" Ikkmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kailef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najncack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opecpqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjgcmig.dll" Apjebnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blehee32.dll" Lghacmle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qebfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfobb32.dll" Cadhipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdpofcph.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 5176 536 b5133c737803df27ec90171b28e58250N.exe 86 PID 536 wrote to memory of 5176 536 b5133c737803df27ec90171b28e58250N.exe 86 PID 536 wrote to memory of 5176 536 b5133c737803df27ec90171b28e58250N.exe 86 PID 5176 wrote to memory of 5524 5176 Kikncjef.exe 87 PID 5176 wrote to memory of 5524 5176 Kikncjef.exe 87 PID 5176 wrote to memory of 5524 5176 Kikncjef.exe 87 PID 5524 wrote to memory of 3948 5524 Kmgjdi32.exe 88 PID 5524 wrote to memory of 3948 5524 Kmgjdi32.exe 88 PID 5524 wrote to memory of 3948 5524 Kmgjdi32.exe 88 PID 3948 wrote to memory of 3144 3948 Kpefpd32.exe 89 PID 3948 wrote to memory of 3144 3948 Kpefpd32.exe 89 PID 3948 wrote to memory of 3144 3948 Kpefpd32.exe 89 PID 3144 wrote to memory of 2096 3144 Kbcblp32.exe 90 PID 3144 wrote to memory of 2096 3144 Kbcblp32.exe 90 PID 3144 wrote to memory of 2096 3144 Kbcblp32.exe 90 PID 2096 wrote to memory of 5648 2096 Kfonmncp.exe 91 PID 2096 wrote to memory of 5648 2096 Kfonmncp.exe 91 PID 2096 wrote to memory of 5648 2096 Kfonmncp.exe 91 PID 5648 wrote to memory of 2300 5648 Kjkjnm32.exe 92 PID 5648 wrote to memory of 2300 5648 Kjkjnm32.exe 92 PID 5648 wrote to memory of 2300 5648 Kjkjnm32.exe 92 PID 2300 wrote to memory of 4324 2300 Kmifjh32.exe 93 PID 2300 wrote to memory of 4324 2300 Kmifjh32.exe 93 PID 2300 wrote to memory of 4324 2300 Kmifjh32.exe 93 PID 4324 wrote to memory of 5984 4324 Kpgcfd32.exe 94 PID 4324 wrote to memory of 5984 4324 Kpgcfd32.exe 94 PID 4324 wrote to memory of 5984 4324 Kpgcfd32.exe 94 PID 5984 wrote to memory of 5880 5984 Kdcofbbi.exe 95 PID 5984 wrote to memory of 5880 5984 Kdcofbbi.exe 95 PID 5984 wrote to memory of 5880 5984 Kdcofbbi.exe 95 PID 5880 wrote to memory of 6068 5880 Kfakbnam.exe 96 PID 5880 wrote to memory of 6068 5880 Kfakbnam.exe 96 PID 5880 wrote to memory of 6068 5880 Kfakbnam.exe 96 PID 6068 wrote to memory of 5808 6068 Kkmgcm32.exe 97 PID 6068 wrote to memory of 5808 6068 Kkmgcm32.exe 97 PID 6068 wrote to memory of 5808 6068 Kkmgcm32.exe 97 PID 5808 wrote to memory of 5940 5808 Kmkcohij.exe 98 PID 5808 wrote to memory of 5940 5808 Kmkcohij.exe 98 PID 5808 wrote to memory of 5940 5808 Kmkcohij.exe 98 PID 5940 wrote to memory of 6116 5940 Kpjpkchn.exe 99 PID 5940 wrote to memory of 6116 5940 Kpjpkchn.exe 99 PID 5940 wrote to memory of 6116 5940 Kpjpkchn.exe 99 PID 6116 wrote to memory of 5868 6116 Kbhlgoga.exe 100 PID 6116 wrote to memory of 5868 6116 Kbhlgoga.exe 100 PID 6116 wrote to memory of 5868 6116 Kbhlgoga.exe 100 PID 5868 wrote to memory of 5492 5868 Kfdhhn32.exe 101 PID 5868 wrote to memory of 5492 5868 Kfdhhn32.exe 101 PID 5868 wrote to memory of 5492 5868 Kfdhhn32.exe 101 PID 5492 wrote to memory of 4960 5492 Kibddi32.exe 102 PID 5492 wrote to memory of 4960 5492 Kibddi32.exe 102 PID 5492 wrote to memory of 4960 5492 Kibddi32.exe 102 PID 4960 wrote to memory of 456 4960 Kailef32.exe 103 PID 4960 wrote to memory of 456 4960 Kailef32.exe 103 PID 4960 wrote to memory of 456 4960 Kailef32.exe 103 PID 456 wrote to memory of 3968 456 Kpllacfk.exe 104 PID 456 wrote to memory of 3968 456 Kpllacfk.exe 104 PID 456 wrote to memory of 3968 456 Kpllacfk.exe 104 PID 3968 wrote to memory of 3444 3968 Kbjhmoeo.exe 105 PID 3968 wrote to memory of 3444 3968 Kbjhmoeo.exe 105 PID 3968 wrote to memory of 3444 3968 Kbjhmoeo.exe 105 PID 3444 wrote to memory of 5048 3444 Lmpmjgee.exe 106 PID 3444 wrote to memory of 5048 3444 Lmpmjgee.exe 106 PID 3444 wrote to memory of 5048 3444 Lmpmjgee.exe 106 PID 5048 wrote to memory of 3008 5048 Lpoifc32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5133c737803df27ec90171b28e58250N.exe"C:\Users\Admin\AppData\Local\Temp\b5133c737803df27ec90171b28e58250N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Kikncjef.exeC:\Windows\system32\Kikncjef.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5176 -
C:\Windows\SysWOW64\Kmgjdi32.exeC:\Windows\system32\Kmgjdi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5524 -
C:\Windows\SysWOW64\Kpefpd32.exeC:\Windows\system32\Kpefpd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Kbcblp32.exeC:\Windows\system32\Kbcblp32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Kfonmncp.exeC:\Windows\system32\Kfonmncp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Kjkjnm32.exeC:\Windows\system32\Kjkjnm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5648 -
C:\Windows\SysWOW64\Kmifjh32.exeC:\Windows\system32\Kmifjh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Kpgcfd32.exeC:\Windows\system32\Kpgcfd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Kdcofbbi.exeC:\Windows\system32\Kdcofbbi.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5984 -
C:\Windows\SysWOW64\Kfakbnam.exeC:\Windows\system32\Kfakbnam.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Windows\SysWOW64\Kkmgcm32.exeC:\Windows\system32\Kkmgcm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6068 -
C:\Windows\SysWOW64\Kmkcohij.exeC:\Windows\system32\Kmkcohij.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Windows\SysWOW64\Kpjpkchn.exeC:\Windows\system32\Kpjpkchn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\SysWOW64\Kbhlgoga.exeC:\Windows\system32\Kbhlgoga.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6116 -
C:\Windows\SysWOW64\Kfdhhn32.exeC:\Windows\system32\Kfdhhn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5868 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5492 -
C:\Windows\SysWOW64\Kailef32.exeC:\Windows\system32\Kailef32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Kpllacfk.exeC:\Windows\system32\Kpllacfk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Lmpmjgee.exeC:\Windows\system32\Lmpmjgee.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Lghacmle.exeC:\Windows\system32\Lghacmle.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Lmbipg32.exeC:\Windows\system32\Lmbipg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ldlamajo.exeC:\Windows\system32\Ldlamajo.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Lgknimib.exeC:\Windows\system32\Lgknimib.exe26⤵
- Executes dropped EXE
PID:5612 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe27⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\SysWOW64\Lapbfeih.exeC:\Windows\system32\Lapbfeih.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Ldonbq32.exeC:\Windows\system32\Ldonbq32.exe29⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Lgmknl32.exeC:\Windows\system32\Lgmknl32.exe30⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Lilgjh32.exeC:\Windows\system32\Lilgjh32.exe31⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Lpeoganq.exeC:\Windows\system32\Lpeoganq.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Windows\SysWOW64\Lgpgdl32.exeC:\Windows\system32\Lgpgdl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Lincpg32.exeC:\Windows\system32\Lincpg32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Laelad32.exeC:\Windows\system32\Laelad32.exe35⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Ldchmpdg.exeC:\Windows\system32\Ldchmpdg.exe36⤵
- Executes dropped EXE
PID:5456 -
C:\Windows\SysWOW64\Mgbdilck.exeC:\Windows\system32\Mgbdilck.exe37⤵
- Executes dropped EXE
PID:5348 -
C:\Windows\SysWOW64\Mippegbn.exeC:\Windows\system32\Mippegbn.exe38⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Maghgdcq.exeC:\Windows\system32\Maghgdcq.exe39⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mpjhba32.exeC:\Windows\system32\Mpjhba32.exe40⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Mcienm32.exeC:\Windows\system32\Mcienm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Mgdqokah.exeC:\Windows\system32\Mgdqokah.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:732 -
C:\Windows\SysWOW64\Mibmkfql.exeC:\Windows\system32\Mibmkfql.exe43⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Mpmehq32.exeC:\Windows\system32\Mpmehq32.exe44⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Mckadl32.exeC:\Windows\system32\Mckadl32.exe45⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Miejqf32.exeC:\Windows\system32\Miejqf32.exe46⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Malabc32.exeC:\Windows\system32\Malabc32.exe47⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mpobmqff.exeC:\Windows\system32\Mpobmqff.exe48⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mcmnilei.exeC:\Windows\system32\Mcmnilei.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Mkdfkiel.exeC:\Windows\system32\Mkdfkiel.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Mncbgdeo.exeC:\Windows\system32\Mncbgdeo.exe51⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Mpaocpdc.exeC:\Windows\system32\Mpaocpdc.exe52⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Mgkgpj32.exeC:\Windows\system32\Mgkgpj32.exe53⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Mkgcpi32.exeC:\Windows\system32\Mkgcpi32.exe54⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mneold32.exeC:\Windows\system32\Mneold32.exe55⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Mpckhp32.exeC:\Windows\system32\Mpckhp32.exe56⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Ndoginji.exeC:\Windows\system32\Ndoginji.exe57⤵
- Executes dropped EXE
PID:5528 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Nkipfh32.exeC:\Windows\system32\Nkipfh32.exe59⤵
- Executes dropped EXE
PID:5656 -
C:\Windows\SysWOW64\Nnglbd32.exeC:\Windows\system32\Nnglbd32.exe60⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\Nachbbic.exeC:\Windows\system32\Nachbbic.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Npfhno32.exeC:\Windows\system32\Npfhno32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Windows\SysWOW64\Ncddjk32.exeC:\Windows\system32\Ncddjk32.exe63⤵
- Executes dropped EXE
PID:5196 -
C:\Windows\SysWOW64\Ngppkigk.exeC:\Windows\system32\Ngppkigk.exe64⤵
- Executes dropped EXE
PID:5860 -
C:\Windows\SysWOW64\Njnmge32.exeC:\Windows\system32\Njnmge32.exe65⤵
- Executes dropped EXE
PID:5124 -
C:\Windows\SysWOW64\Nnjhgcog.exeC:\Windows\system32\Nnjhgcog.exe66⤵PID:5584
-
C:\Windows\SysWOW64\Naedhb32.exeC:\Windows\system32\Naedhb32.exe67⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Npheconk.exeC:\Windows\system32\Npheconk.exe68⤵PID:4380
-
C:\Windows\SysWOW64\Npheconk.exeC:\Windows\system32\Npheconk.exe69⤵PID:1648
-
C:\Windows\SysWOW64\Nddqdn32.exeC:\Windows\system32\Nddqdn32.exe70⤵PID:5836
-
C:\Windows\SysWOW64\Ncgapjmo.exeC:\Windows\system32\Ncgapjmo.exe71⤵PID:3964
-
C:\Windows\SysWOW64\Nkniahna.exeC:\Windows\system32\Nkniahna.exe72⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Njqild32.exeC:\Windows\system32\Njqild32.exe73⤵PID:1700
-
C:\Windows\SysWOW64\Nnlemcme.exeC:\Windows\system32\Nnlemcme.exe74⤵PID:2128
-
C:\Windows\SysWOW64\Nahanb32.exeC:\Windows\system32\Nahanb32.exe75⤵PID:404
-
C:\Windows\SysWOW64\Npkaiolh.exeC:\Windows\system32\Npkaiolh.exe76⤵PID:5296
-
C:\Windows\SysWOW64\Ncinejkl.exeC:\Windows\system32\Ncinejkl.exe77⤵PID:5544
-
C:\Windows\SysWOW64\Ngdjfi32.exeC:\Windows\system32\Ngdjfi32.exe78⤵PID:5252
-
C:\Windows\SysWOW64\Nkpffgkn.exeC:\Windows\system32\Nkpffgkn.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Njcfbd32.exeC:\Windows\system32\Njcfbd32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Nnobbc32.exeC:\Windows\system32\Nnobbc32.exe81⤵PID:1372
-
C:\Windows\SysWOW64\Najncack.exeC:\Windows\system32\Najncack.exe82⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe83⤵PID:2508
-
C:\Windows\SysWOW64\Ndhjombo.exeC:\Windows\system32\Ndhjombo.exe84⤵PID:5364
-
C:\Windows\SysWOW64\Nckjkj32.exeC:\Windows\system32\Nckjkj32.exe85⤵PID:4600
-
C:\Windows\SysWOW64\Nggfkhab.exeC:\Windows\system32\Nggfkhab.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Njebgdpf.exeC:\Windows\system32\Njebgdpf.exe87⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Njebgdpf.exeC:\Windows\system32\Njebgdpf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Nnaohb32.exeC:\Windows\system32\Nnaohb32.exe89⤵PID:4952
-
C:\Windows\SysWOW64\Oqokdn32.exeC:\Windows\system32\Oqokdn32.exe90⤵PID:4288
-
C:\Windows\SysWOW64\Odkgempl.exeC:\Windows\system32\Odkgempl.exe91⤵PID:2328
-
C:\Windows\SysWOW64\Ocngpi32.exeC:\Windows\system32\Ocngpi32.exe92⤵
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ogicahop.exeC:\Windows\system32\Ogicahop.exe93⤵PID:3212
-
C:\Windows\SysWOW64\Ojhomcnc.exeC:\Windows\system32\Ojhomcnc.exe94⤵PID:3920
-
C:\Windows\SysWOW64\Oncknb32.exeC:\Windows\system32\Oncknb32.exe95⤵PID:1688
-
C:\Windows\SysWOW64\Oaogna32.exeC:\Windows\system32\Oaogna32.exe96⤵PID:3208
-
C:\Windows\SysWOW64\Oqagjneq.exeC:\Windows\system32\Oqagjneq.exe97⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe98⤵PID:4732
-
C:\Windows\SysWOW64\Ocpdfied.exeC:\Windows\system32\Ocpdfied.exe99⤵PID:668
-
C:\Windows\SysWOW64\Okglgfef.exeC:\Windows\system32\Okglgfef.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Ojjlbc32.exeC:\Windows\system32\Ojjlbc32.exe101⤵PID:5948
-
C:\Windows\SysWOW64\Onehcbdj.exeC:\Windows\system32\Onehcbdj.exe102⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Obaddq32.exeC:\Windows\system32\Obaddq32.exe103⤵PID:5996
-
C:\Windows\SysWOW64\Odpppl32.exeC:\Windows\system32\Odpppl32.exe104⤵PID:4316
-
C:\Windows\SysWOW64\Ocbqkica.exeC:\Windows\system32\Ocbqkica.exe105⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Okihmfcc.exeC:\Windows\system32\Okihmfcc.exe106⤵PID:4580
-
C:\Windows\SysWOW64\Ojlihc32.exeC:\Windows\system32\Ojlihc32.exe107⤵PID:3496
-
C:\Windows\SysWOW64\Obcaip32.exeC:\Windows\system32\Obcaip32.exe108⤵PID:1720
-
C:\Windows\SysWOW64\Oqfaem32.exeC:\Windows\system32\Oqfaem32.exe109⤵PID:4560
-
C:\Windows\SysWOW64\Ocemah32.exeC:\Windows\system32\Ocemah32.exe110⤵PID:5024
-
C:\Windows\SysWOW64\Ogpiagih.exeC:\Windows\system32\Ogpiagih.exe111⤵
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Ojoenbhl.exeC:\Windows\system32\Ojoenbhl.exe112⤵PID:5700
-
C:\Windows\SysWOW64\Onjana32.exeC:\Windows\system32\Onjana32.exe113⤵PID:3840
-
C:\Windows\SysWOW64\Obfnopin.exeC:\Windows\system32\Obfnopin.exe114⤵PID:1320
-
C:\Windows\SysWOW64\Oddjkkha.exeC:\Windows\system32\Oddjkkha.exe115⤵PID:2664
-
C:\Windows\SysWOW64\Ogbfggge.exeC:\Windows\system32\Ogbfggge.exe116⤵
- System Location Discovery: System Language Discovery
PID:5756 -
C:\Windows\SysWOW64\Oknbhe32.exeC:\Windows\system32\Oknbhe32.exe117⤵PID:908
-
C:\Windows\SysWOW64\Ojabcbfi.exeC:\Windows\system32\Ojabcbfi.exe118⤵PID:5288
-
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Pdffqk32.exeC:\Windows\system32\Pdffqk32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Pgebmf32.exeC:\Windows\system32\Pgebmf32.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-