Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 12:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
633f965370943064044dba66e84acac0N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
633f965370943064044dba66e84acac0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
633f965370943064044dba66e84acac0N.exe
-
Size
72KB
-
MD5
633f965370943064044dba66e84acac0
-
SHA1
b07af030907d2216b3b7f8d39426575c68a02ff1
-
SHA256
dbddf94608181815c734937129a6128b8d878ff160518624144ffa69280232c9
-
SHA512
518fe8160b66f1cd909cf40276f76d673e90e8c4086abc5a1e4c49f6c50cc5fe5a87391774accf4ccf11898b384a7f85ba6f90eab65769c1334577bc102d7c64
-
SSDEEP
1536:OxsA38lX2Bn4oqkwu42KlrnSyLXPgUN3QivEtA:OyN2Bn4fPu42eLXPgU5QJA
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpgkcdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcdof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqeihbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hljnkdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jckeokan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfcmhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpifeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfghlhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpbkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjfhbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgemahmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknlef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhofbma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Googaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibbklke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcbidcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfeoijbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjaiac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbdip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eedmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feljgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npognfpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhfek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpemkcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feimadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ellicihn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhehkepj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcicjbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfedmfqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midfjnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpecm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmpob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjebpml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahnhncc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqklnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnjbdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oacdmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpbhmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhckeeam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpemkcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leedqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdllffpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elilmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikihlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkabbgol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leqkeajd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phkaqqoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anffje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhlleeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edakimoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiijfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe -
Executes dropped EXE 64 IoCs
pid Process 2328 Mclhjkfa.exe 2780 Mhiabbdi.exe 756 Mcoepkdo.exe 2184 Mdpagc32.exe 1784 Mkjjdmaj.exe 4808 Madbagif.exe 4072 Mdbnmbhj.exe 676 Mlifnphl.exe 3372 Mafofggd.exe 4304 Mhpgca32.exe 3208 Mahklf32.exe 3172 Nhbciqln.exe 3688 Nomlek32.exe 5028 Nakhaf32.exe 2132 Nooikj32.exe 1464 Ndlacapp.exe 4732 Noaeqjpe.exe 4256 Ncmaai32.exe 64 Nhjjip32.exe 4888 Nkhfek32.exe 4268 Nocbfjmc.exe 3448 Nbbnbemf.exe 4740 Nfnjbdep.exe 2584 Nlgbon32.exe 2352 Nkjckkcg.exe 3212 Odedipge.exe 4192 Okolfj32.exe 4968 Odgqopeb.exe 2564 Oloipmfd.exe 4092 Oomelheh.exe 2432 Odjmdocp.exe 2456 Okceaikl.exe 620 Ohhfknjf.exe 3176 Okfbgiij.exe 2748 Obpkcc32.exe 1220 Pdngpo32.exe 1432 Pcpgmf32.exe 2836 Pilpfm32.exe 3564 Pbddobla.exe 1116 Pecpknke.exe 2252 Pmjhlklg.exe 2180 Poidhg32.exe 5012 Peempn32.exe 948 Pmmeak32.exe 3704 Pcfmneaa.exe 4400 Pbimjb32.exe 1704 Pkabbgol.exe 4540 Pcijce32.exe 2008 Qifbll32.exe 1916 Qppkhfec.exe 3316 Qelcamcj.exe 3780 Qpbgnecp.exe 3348 Aflpkpjm.exe 4908 Amfhgj32.exe 1608 Acppddig.exe 2284 Aealll32.exe 2728 Apgqie32.exe 4824 Afqifo32.exe 1004 Amkabind.exe 936 Acdioc32.exe 4020 Aiabhj32.exe 3000 Alpnde32.exe 2216 Bcicjbal.exe 1592 Bifkcioc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjkcqdje.exe Biigildg.exe File created C:\Windows\SysWOW64\Lagqnoge.dll Kfeagefd.exe File created C:\Windows\SysWOW64\Mobbdf32.exe Mgkjch32.exe File created C:\Windows\SysWOW64\Jnolbm32.dll Bfghlhmd.exe File opened for modification C:\Windows\SysWOW64\Fghcqq32.exe Fpnkdfko.exe File created C:\Windows\SysWOW64\Kagbdenk.exe Kjmjgk32.exe File opened for modification C:\Windows\SysWOW64\Ljffccjh.exe Kclnfi32.exe File opened for modification C:\Windows\SysWOW64\Bdiamnpc.exe Bnoiqd32.exe File created C:\Windows\SysWOW64\Ngcdji32.dll Ebokodfc.exe File created C:\Windows\SysWOW64\Oahnhncc.exe Oojalb32.exe File created C:\Windows\SysWOW64\Kclnfi32.exe Kanbjn32.exe File created C:\Windows\SysWOW64\Mffjnc32.exe Lhcjbfag.exe File created C:\Windows\SysWOW64\Ppffec32.exe Pjlnhi32.exe File opened for modification C:\Windows\SysWOW64\Mgkjch32.exe Mejnlpai.exe File created C:\Windows\SysWOW64\Lhjicplp.dll Pddokabk.exe File created C:\Windows\SysWOW64\Bgkaip32.exe Bfieagka.exe File created C:\Windows\SysWOW64\Ahnljade.dll Kanbjn32.exe File created C:\Windows\SysWOW64\Aqfolqna.exe Ajmgof32.exe File created C:\Windows\SysWOW64\Jibdpo32.dll Cigcjj32.exe File opened for modification C:\Windows\SysWOW64\Pmjhlklg.exe Pecpknke.exe File created C:\Windows\SysWOW64\Hnmnengg.exe Hgbfhc32.exe File opened for modification C:\Windows\SysWOW64\Abgcqjhp.exe Aohfdnil.exe File created C:\Windows\SysWOW64\Clffalkf.exe Cihjeq32.exe File created C:\Windows\SysWOW64\Eknanh32.dll Nhjjip32.exe File created C:\Windows\SysWOW64\Djabhe32.dll Mpqklh32.exe File created C:\Windows\SysWOW64\Cigcjj32.exe Cnboma32.exe File opened for modification C:\Windows\SysWOW64\Elgohj32.exe Eihcln32.exe File created C:\Windows\SysWOW64\Icgbob32.exe Imnjbhaa.exe File opened for modification C:\Windows\SysWOW64\Homcbo32.exe Hhckeeam.exe File created C:\Windows\SysWOW64\Imnjbhaa.exe Igqbiacj.exe File created C:\Windows\SysWOW64\Nibbklke.exe Npjnbg32.exe File created C:\Windows\SysWOW64\Qggebl32.exe Qpmmfbfl.exe File opened for modification C:\Windows\SysWOW64\Dbbdip32.exe Dlhlleeh.exe File created C:\Windows\SysWOW64\Mgkjch32.exe Mejnlpai.exe File created C:\Windows\SysWOW64\Cigbibll.dll Ienlbf32.exe File created C:\Windows\SysWOW64\Lhogamih.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Olpigmpg.dll Aiqkmd32.exe File created C:\Windows\SysWOW64\Fcqlqnpo.dll Cifmoa32.exe File created C:\Windows\SysWOW64\Daajam32.dll Googaaej.exe File created C:\Windows\SysWOW64\Pdklebje.exe Onqdhh32.exe File created C:\Windows\SysWOW64\Haafdi32.dll Pkabbgol.exe File created C:\Windows\SysWOW64\Mmhpkebp.dll Bifkcioc.exe File created C:\Windows\SysWOW64\Ifjoop32.exe Hdicggla.exe File created C:\Windows\SysWOW64\Kjmjgk32.exe Kccbjq32.exe File created C:\Windows\SysWOW64\Gonngd32.dll Mfkcibdl.exe File created C:\Windows\SysWOW64\Lhlaofoa.dll Apgqie32.exe File opened for modification C:\Windows\SysWOW64\Ljjpnb32.exe Lmfodn32.exe File created C:\Windows\SysWOW64\Dbijinfl.exe Dnnoip32.exe File created C:\Windows\SysWOW64\Icchoopc.dll Jfkhfmdm.exe File opened for modification C:\Windows\SysWOW64\Kjdqhjpf.exe Kdjhkp32.exe File created C:\Windows\SysWOW64\Oojalb32.exe Okneldkf.exe File opened for modification C:\Windows\SysWOW64\Eangjkkd.exe Enpknplq.exe File opened for modification C:\Windows\SysWOW64\Iebfmfdg.exe Iqgjmg32.exe File opened for modification C:\Windows\SysWOW64\Epeohn32.exe Eljchpnl.exe File created C:\Windows\SysWOW64\Npjnbg32.exe Mphamg32.exe File opened for modification C:\Windows\SysWOW64\Pkgaglpp.exe Pdmikb32.exe File opened for modification C:\Windows\SysWOW64\Cegnol32.exe Calbnnkj.exe File created C:\Windows\SysWOW64\Cieoen32.dll Amkabind.exe File created C:\Windows\SysWOW64\Bihhhi32.exe Bboplo32.exe File created C:\Windows\SysWOW64\Pcijce32.exe Pkabbgol.exe File created C:\Windows\SysWOW64\Mkofokch.dll Kjfmminc.exe File created C:\Windows\SysWOW64\Beobcdoi.exe Bndjfjhl.exe File created C:\Windows\SysWOW64\Dcgpmj32.dll Cnpibh32.exe File created C:\Windows\SysWOW64\Ellicihn.exe Efopjbjg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12448 12316 WerFault.exe 628 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilmeida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhefhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adpogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okceaikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qelcamcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glqkefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfeoijbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljijci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpkbfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefoni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miipencp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmnengg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdffah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnefieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmiepcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhofbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojjcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggoiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgbon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfaenfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpibh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmneemaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknlef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moiheebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnnqgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhiabbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoncm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Googaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqklnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqeihbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddokabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmebnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmedmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nooikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edakimoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceoppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foonjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbnmbhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnbdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clffalkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckeokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoiqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcicjbal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhalkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loiong32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odedipge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlaofoa.dll" Apgqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icminm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclhjkfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epiaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgjaf32.dll" Aokcjngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpgjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbolflm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmfkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmopone.dll" Bkhjpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdbnmbhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jakchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmeb32.dll" Chfaenfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icchoopc.dll" Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feljgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjoop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdggeba.dll" Efopjbjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npliag32.dll" Foonjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgfep32.dll" Pgpobmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjjip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhleefhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaaneok.dll" Igqbiacj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbijinfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elihef32.dll" Ngifef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnanioad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jglkkiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acphqk32.dll" Dndlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll" Mkjjdmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Janpnfee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjfhbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdjhkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiqomj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhjjcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icpecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiokacgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmiepcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdnelpod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gomkkagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohobebig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll" Cpnpqakp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpnde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjegen32.dll" Jjdgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmghklif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciefek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbdano32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjjdmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doljemai.dll" Jjhalkjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Logbigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknohl32.dll" Cpklql32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2328 2616 633f965370943064044dba66e84acac0N.exe 90 PID 2616 wrote to memory of 2328 2616 633f965370943064044dba66e84acac0N.exe 90 PID 2616 wrote to memory of 2328 2616 633f965370943064044dba66e84acac0N.exe 90 PID 2328 wrote to memory of 2780 2328 Mclhjkfa.exe 91 PID 2328 wrote to memory of 2780 2328 Mclhjkfa.exe 91 PID 2328 wrote to memory of 2780 2328 Mclhjkfa.exe 91 PID 2780 wrote to memory of 756 2780 Mhiabbdi.exe 92 PID 2780 wrote to memory of 756 2780 Mhiabbdi.exe 92 PID 2780 wrote to memory of 756 2780 Mhiabbdi.exe 92 PID 756 wrote to memory of 2184 756 Mcoepkdo.exe 93 PID 756 wrote to memory of 2184 756 Mcoepkdo.exe 93 PID 756 wrote to memory of 2184 756 Mcoepkdo.exe 93 PID 2184 wrote to memory of 1784 2184 Mdpagc32.exe 94 PID 2184 wrote to memory of 1784 2184 Mdpagc32.exe 94 PID 2184 wrote to memory of 1784 2184 Mdpagc32.exe 94 PID 1784 wrote to memory of 4808 1784 Mkjjdmaj.exe 95 PID 1784 wrote to memory of 4808 1784 Mkjjdmaj.exe 95 PID 1784 wrote to memory of 4808 1784 Mkjjdmaj.exe 95 PID 4808 wrote to memory of 4072 4808 Madbagif.exe 96 PID 4808 wrote to memory of 4072 4808 Madbagif.exe 96 PID 4808 wrote to memory of 4072 4808 Madbagif.exe 96 PID 4072 wrote to memory of 676 4072 Mdbnmbhj.exe 97 PID 4072 wrote to memory of 676 4072 Mdbnmbhj.exe 97 PID 4072 wrote to memory of 676 4072 Mdbnmbhj.exe 97 PID 676 wrote to memory of 3372 676 Mlifnphl.exe 98 PID 676 wrote to memory of 3372 676 Mlifnphl.exe 98 PID 676 wrote to memory of 3372 676 Mlifnphl.exe 98 PID 3372 wrote to memory of 4304 3372 Mafofggd.exe 100 PID 3372 wrote to memory of 4304 3372 Mafofggd.exe 100 PID 3372 wrote to memory of 4304 3372 Mafofggd.exe 100 PID 4304 wrote to memory of 3208 4304 Mhpgca32.exe 101 PID 4304 wrote to memory of 3208 4304 Mhpgca32.exe 101 PID 4304 wrote to memory of 3208 4304 Mhpgca32.exe 101 PID 3208 wrote to memory of 3172 3208 Mahklf32.exe 103 PID 3208 wrote to memory of 3172 3208 Mahklf32.exe 103 PID 3208 wrote to memory of 3172 3208 Mahklf32.exe 103 PID 3172 wrote to memory of 3688 3172 Nhbciqln.exe 104 PID 3172 wrote to memory of 3688 3172 Nhbciqln.exe 104 PID 3172 wrote to memory of 3688 3172 Nhbciqln.exe 104 PID 3688 wrote to memory of 5028 3688 Nomlek32.exe 105 PID 3688 wrote to memory of 5028 3688 Nomlek32.exe 105 PID 3688 wrote to memory of 5028 3688 Nomlek32.exe 105 PID 5028 wrote to memory of 2132 5028 Nakhaf32.exe 107 PID 5028 wrote to memory of 2132 5028 Nakhaf32.exe 107 PID 5028 wrote to memory of 2132 5028 Nakhaf32.exe 107 PID 2132 wrote to memory of 1464 2132 Nooikj32.exe 108 PID 2132 wrote to memory of 1464 2132 Nooikj32.exe 108 PID 2132 wrote to memory of 1464 2132 Nooikj32.exe 108 PID 1464 wrote to memory of 4732 1464 Ndlacapp.exe 109 PID 1464 wrote to memory of 4732 1464 Ndlacapp.exe 109 PID 1464 wrote to memory of 4732 1464 Ndlacapp.exe 109 PID 4732 wrote to memory of 4256 4732 Noaeqjpe.exe 110 PID 4732 wrote to memory of 4256 4732 Noaeqjpe.exe 110 PID 4732 wrote to memory of 4256 4732 Noaeqjpe.exe 110 PID 4256 wrote to memory of 64 4256 Ncmaai32.exe 111 PID 4256 wrote to memory of 64 4256 Ncmaai32.exe 111 PID 4256 wrote to memory of 64 4256 Ncmaai32.exe 111 PID 64 wrote to memory of 4888 64 Nhjjip32.exe 112 PID 64 wrote to memory of 4888 64 Nhjjip32.exe 112 PID 64 wrote to memory of 4888 64 Nhjjip32.exe 112 PID 4888 wrote to memory of 4268 4888 Nkhfek32.exe 113 PID 4888 wrote to memory of 4268 4888 Nkhfek32.exe 113 PID 4888 wrote to memory of 4268 4888 Nkhfek32.exe 113 PID 4268 wrote to memory of 3448 4268 Nocbfjmc.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\633f965370943064044dba66e84acac0N.exe"C:\Users\Admin\AppData\Local\Temp\633f965370943064044dba66e84acac0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Madbagif.exeC:\Windows\system32\Madbagif.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Ncmaai32.exeC:\Windows\system32\Ncmaai32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe23⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Nlgbon32.exeC:\Windows\system32\Nlgbon32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe26⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe28⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe29⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe30⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe31⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe32⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe34⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe35⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe36⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe37⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe38⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe39⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe40⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Pmjhlklg.exeC:\Windows\system32\Pmjhlklg.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe46⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe47⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe49⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe50⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe51⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Qelcamcj.exeC:\Windows\system32\Qelcamcj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Qpbgnecp.exeC:\Windows\system32\Qpbgnecp.exe53⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe54⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Amfhgj32.exeC:\Windows\system32\Amfhgj32.exe55⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe56⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe57⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe59⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe61⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe62⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Afeban32.exeC:\Windows\system32\Afeban32.exe64⤵PID:2892
-
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3080 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe68⤵
- Modifies registry class
PID:4796 -
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe69⤵PID:2992
-
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe71⤵PID:5176
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe72⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe73⤵
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\Cpifeb32.exeC:\Windows\system32\Cpifeb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe75⤵PID:5356
-
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe76⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe78⤵PID:5488
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe79⤵PID:5536
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe80⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe81⤵PID:5648
-
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe82⤵PID:5704
-
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe83⤵PID:5756
-
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe84⤵PID:5800
-
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe85⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe86⤵PID:5884
-
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe87⤵PID:5928
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe88⤵PID:5972
-
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe89⤵PID:6016
-
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe90⤵PID:6060
-
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe91⤵PID:6104
-
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe92⤵PID:3672
-
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe93⤵PID:5188
-
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5276 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe95⤵PID:5340
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe96⤵PID:5440
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5516 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe98⤵PID:5616
-
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe99⤵PID:5748
-
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe100⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe101⤵PID:5924
-
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe103⤵PID:3312
-
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe104⤵PID:6140
-
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe105⤵PID:5216
-
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe106⤵PID:5344
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe107⤵PID:5500
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe108⤵PID:5680
-
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe109⤵PID:5852
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe110⤵PID:6012
-
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6120 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe112⤵PID:5260
-
C:\Windows\SysWOW64\Feljgd32.exeC:\Windows\system32\Feljgd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe114⤵PID:5752
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe115⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Gjqinamq.exeC:\Windows\system32\Gjqinamq.exe116⤵PID:6092
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe117⤵PID:5392
-
C:\Windows\SysWOW64\Gfjfhbpb.exeC:\Windows\system32\Gfjfhbpb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe119⤵
- Modifies registry class
PID:5160 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe120⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Gcpcgfmi.exeC:\Windows\system32\Gcpcgfmi.exe121⤵PID:5204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-