Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 04:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe
-
Size
207KB
-
MD5
de7a09264de843e23dcbe141327bf3e6
-
SHA1
e0ef3600d2aa4771bc38c3abc02098d2927821e8
-
SHA256
c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a
-
SHA512
3c1e6c91449b7eaa0b09b49eeb2a9b7bb52ba5c58ae04dab2b75b02efd05946bd1b910bc22d80d74872c95e3b6d9abe61b5252218cde25348ccb3ba487b2db43
-
SSDEEP
3072:/QRm1WfA9JnszCJcsHCVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:/QR8LHCVjj+VPj92d62ASOwj
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oabhfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfgipd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbqmiinl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnfcia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jinboekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahaceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppmcdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhkfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdmmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibobdqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqikmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coadnlnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjdqmng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmfclm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgnoki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjoadei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbkgfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgged32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehcfaboo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqklon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hildmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbnpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkcadhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odalmibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfadkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjchaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anclbkbp.exe -
Executes dropped EXE 64 IoCs
pid Process 5052 Nchjdo32.exe 4044 Nheble32.exe 1412 Ncjginjn.exe 3008 Oeicejia.exe 1020 Ooagno32.exe 1136 Oghppm32.exe 1332 Olehhc32.exe 3064 Ogklelna.exe 4508 Oiihahme.exe 4904 Ohlimd32.exe 4036 Ocamjm32.exe 3696 Oljaccjf.exe 2676 Ogpepl32.exe 3712 Ollnhb32.exe 4560 Pgbbek32.exe 1276 Phcomcng.exe 3704 Ppjgoaoj.exe 1040 Pgdokkfg.exe 2320 Pjbkgfej.exe 1184 Ppmcdq32.exe 2096 Pgflqkdd.exe 3748 Pofjpl32.exe 2504 Qfpbmfdf.exe 2384 Qljjjqlc.exe 536 Qgpogili.exe 1860 Qhakoa32.exe 1376 Acgolj32.exe 4584 Afelhf32.exe 4172 Aqkpeopg.exe 32 Afghneoo.exe 1108 Amaqjp32.exe 1408 Aggegh32.exe 1728 Aobilkcl.exe 544 Agiamhdo.exe 4448 Aijnep32.exe 1352 Aqaffn32.exe 2872 Acpbbi32.exe 5092 Ajjjocap.exe 3644 Bqdblmhl.exe 2408 Bogcgj32.exe 1340 Bgnkhg32.exe 4164 Biogppeg.exe 712 Boipmj32.exe 2004 Bgpgng32.exe 1580 Biadeoce.exe 2296 Bqilgmdg.exe 920 Bfedoc32.exe 1000 Bidqko32.exe 1288 Bpnihiio.exe 4916 Bgeaifia.exe 3828 Bjcmebie.exe 4896 Bmbiamhi.exe 3192 Bppfmigl.exe 4772 Bclang32.exe 876 Bjfjka32.exe 3764 Cmdfgm32.exe 3084 Cgjjdf32.exe 4644 Cflkpblf.exe 4320 Cmfclm32.exe 3404 Cpeohh32.exe 4820 Cfogeb32.exe 3132 Cimcan32.exe 3680 Cpglnhad.exe 1748 Cfadkb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Hkdjfb32.exe Hdjbiheb.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Lmmolepp.exe File created C:\Windows\SysWOW64\Pkegpb32.exe Phfjcf32.exe File created C:\Windows\SysWOW64\Nmqmbmdf.dll Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Gejopl32.exe Gblbca32.exe File created C:\Windows\SysWOW64\Gpecbk32.exe Gmggfp32.exe File created C:\Windows\SysWOW64\Gingkqkd.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Iocedcbl.dll Amcehdod.exe File created C:\Windows\SysWOW64\Agiamhdo.exe Aobilkcl.exe File created C:\Windows\SysWOW64\Cfogeb32.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Gnjjfegi.exe Ghmbno32.exe File created C:\Windows\SysWOW64\Jqlefl32.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Miofjepg.exe Mahnhhod.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Icfekc32.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Aekddhcb.exe File created C:\Windows\SysWOW64\Nagfjh32.dll Dhjckcgi.exe File created C:\Windows\SysWOW64\Dfefkkqp.exe Dbjkkl32.exe File created C:\Windows\SysWOW64\Lciibdmj.dll Hpchib32.exe File created C:\Windows\SysWOW64\Iplkpa32.exe Iibccgep.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe Oabhfg32.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Pmlfqh32.exe File opened for modification C:\Windows\SysWOW64\Lbgalmej.exe Kjpijpdg.exe File opened for modification C:\Windows\SysWOW64\Cfigpm32.exe Bckkca32.exe File created C:\Windows\SysWOW64\Ackhdo32.dll Gbdoof32.exe File created C:\Windows\SysWOW64\Dkceokii.exe Dheibpje.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Llmhaold.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Aknbkjfh.exe File opened for modification C:\Windows\SysWOW64\Dfhjkabi.exe Dgejpd32.exe File opened for modification C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Bllbaa32.exe Bddjpd32.exe File opened for modification C:\Windows\SysWOW64\Lnangaoa.exe Lfjfecno.exe File opened for modification C:\Windows\SysWOW64\Nbgcih32.exe Nkqkhk32.exe File opened for modification C:\Windows\SysWOW64\Ldgccb32.exe Lmpkadnm.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mjkblhfo.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Clchbqoo.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Illfdc32.exe Iinjhh32.exe File created C:\Windows\SysWOW64\Pgdokkfg.exe Ppjgoaoj.exe File created C:\Windows\SysWOW64\Cimcan32.exe Cfogeb32.exe File created C:\Windows\SysWOW64\Cncijina.dll Oalipoiq.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Omegjomb.exe File created C:\Windows\SysWOW64\Pfabjq32.dll Gbnoiqdq.exe File created C:\Windows\SysWOW64\Qffkpn32.dll Bkaobnio.exe File created C:\Windows\SysWOW64\Dheibpje.exe Dfglfdkb.exe File opened for modification C:\Windows\SysWOW64\Ekdnei32.exe Eifaim32.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Knnhjcog.exe File created C:\Windows\SysWOW64\Chlcgfff.dll Oldjcg32.exe File opened for modification C:\Windows\SysWOW64\Jofalmmp.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Chkobkod.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fhdohp32.exe File created C:\Windows\SysWOW64\Pakllc32.exe Plndcl32.exe File created C:\Windows\SysWOW64\Ecefqnel.exe Elnoopdj.exe File opened for modification C:\Windows\SysWOW64\Fdglmkeg.exe Fplpll32.exe File created C:\Windows\SysWOW64\Lcggio32.exe Lqikmc32.exe File created C:\Windows\SysWOW64\Dpofmcef.dll Dhhfedil.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Pcmeke32.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Dikihe32.exe File created C:\Windows\SysWOW64\Nmdgikhi.exe Nfjola32.exe File created C:\Windows\SysWOW64\Boldhf32.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Ljalni32.dll Cfigpm32.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Ebgpad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3748 3372 WerFault.exe 1019 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfcndce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckiihok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlnbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmfmhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejpje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeddnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmingjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meepdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcihaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeicejia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epndknin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgnoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjpajgi.dll" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjliajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgobjmp.dll" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkcckgg.dll" Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnjdgj.dll" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmakofh.dll" Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" Dkhnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppjgoaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" Ecefqnel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncjginjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbpajgmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajdegod.dll" Oiihahme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iafonaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohcia32.dll" Ccgajfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdafnpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgenbfoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdfjld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ineedcfb.dll" Cndeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jleijb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffangg32.dll" Pgbbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfkck32.dll" Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeaha32.dll" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" Qmgelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijlof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djcoai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amjbbfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdepb32.dll" Ggilil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdgc32.dll" Iafonaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnlnbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmlkhofd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 5052 624 c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe 83 PID 624 wrote to memory of 5052 624 c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe 83 PID 624 wrote to memory of 5052 624 c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe 83 PID 5052 wrote to memory of 4044 5052 Nchjdo32.exe 84 PID 5052 wrote to memory of 4044 5052 Nchjdo32.exe 84 PID 5052 wrote to memory of 4044 5052 Nchjdo32.exe 84 PID 4044 wrote to memory of 1412 4044 Nheble32.exe 85 PID 4044 wrote to memory of 1412 4044 Nheble32.exe 85 PID 4044 wrote to memory of 1412 4044 Nheble32.exe 85 PID 1412 wrote to memory of 3008 1412 Ncjginjn.exe 86 PID 1412 wrote to memory of 3008 1412 Ncjginjn.exe 86 PID 1412 wrote to memory of 3008 1412 Ncjginjn.exe 86 PID 3008 wrote to memory of 1020 3008 Oeicejia.exe 87 PID 3008 wrote to memory of 1020 3008 Oeicejia.exe 87 PID 3008 wrote to memory of 1020 3008 Oeicejia.exe 87 PID 1020 wrote to memory of 1136 1020 Ooagno32.exe 89 PID 1020 wrote to memory of 1136 1020 Ooagno32.exe 89 PID 1020 wrote to memory of 1136 1020 Ooagno32.exe 89 PID 1136 wrote to memory of 1332 1136 Oghppm32.exe 90 PID 1136 wrote to memory of 1332 1136 Oghppm32.exe 90 PID 1136 wrote to memory of 1332 1136 Oghppm32.exe 90 PID 1332 wrote to memory of 3064 1332 Olehhc32.exe 91 PID 1332 wrote to memory of 3064 1332 Olehhc32.exe 91 PID 1332 wrote to memory of 3064 1332 Olehhc32.exe 91 PID 3064 wrote to memory of 4508 3064 Ogklelna.exe 92 PID 3064 wrote to memory of 4508 3064 Ogklelna.exe 92 PID 3064 wrote to memory of 4508 3064 Ogklelna.exe 92 PID 4508 wrote to memory of 4904 4508 Oiihahme.exe 93 PID 4508 wrote to memory of 4904 4508 Oiihahme.exe 93 PID 4508 wrote to memory of 4904 4508 Oiihahme.exe 93 PID 4904 wrote to memory of 4036 4904 Ohlimd32.exe 95 PID 4904 wrote to memory of 4036 4904 Ohlimd32.exe 95 PID 4904 wrote to memory of 4036 4904 Ohlimd32.exe 95 PID 4036 wrote to memory of 3696 4036 Ocamjm32.exe 96 PID 4036 wrote to memory of 3696 4036 Ocamjm32.exe 96 PID 4036 wrote to memory of 3696 4036 Ocamjm32.exe 96 PID 3696 wrote to memory of 2676 3696 Oljaccjf.exe 97 PID 3696 wrote to memory of 2676 3696 Oljaccjf.exe 97 PID 3696 wrote to memory of 2676 3696 Oljaccjf.exe 97 PID 2676 wrote to memory of 3712 2676 Ogpepl32.exe 99 PID 2676 wrote to memory of 3712 2676 Ogpepl32.exe 99 PID 2676 wrote to memory of 3712 2676 Ogpepl32.exe 99 PID 3712 wrote to memory of 4560 3712 Ollnhb32.exe 100 PID 3712 wrote to memory of 4560 3712 Ollnhb32.exe 100 PID 3712 wrote to memory of 4560 3712 Ollnhb32.exe 100 PID 4560 wrote to memory of 1276 4560 Pgbbek32.exe 101 PID 4560 wrote to memory of 1276 4560 Pgbbek32.exe 101 PID 4560 wrote to memory of 1276 4560 Pgbbek32.exe 101 PID 1276 wrote to memory of 3704 1276 Phcomcng.exe 102 PID 1276 wrote to memory of 3704 1276 Phcomcng.exe 102 PID 1276 wrote to memory of 3704 1276 Phcomcng.exe 102 PID 3704 wrote to memory of 1040 3704 Ppjgoaoj.exe 103 PID 3704 wrote to memory of 1040 3704 Ppjgoaoj.exe 103 PID 3704 wrote to memory of 1040 3704 Ppjgoaoj.exe 103 PID 1040 wrote to memory of 2320 1040 Pgdokkfg.exe 104 PID 1040 wrote to memory of 2320 1040 Pgdokkfg.exe 104 PID 1040 wrote to memory of 2320 1040 Pgdokkfg.exe 104 PID 2320 wrote to memory of 1184 2320 Pjbkgfej.exe 105 PID 2320 wrote to memory of 1184 2320 Pjbkgfej.exe 105 PID 2320 wrote to memory of 1184 2320 Pjbkgfej.exe 105 PID 1184 wrote to memory of 2096 1184 Ppmcdq32.exe 106 PID 1184 wrote to memory of 2096 1184 Ppmcdq32.exe 106 PID 1184 wrote to memory of 2096 1184 Ppmcdq32.exe 106 PID 2096 wrote to memory of 3748 2096 Pgflqkdd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe"C:\Users\Admin\AppData\Local\Temp\c6ec4cb4bf8008a413685c8463beb57612abeab5fd2f50bfdb21fd95451ae31a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe23⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe24⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe25⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe26⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe27⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe28⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe29⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe30⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe31⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe32⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe33⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe34⤵PID:4744
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe36⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe37⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe38⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe39⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe40⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe41⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe43⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe44⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe45⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe46⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe47⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe48⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe49⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe50⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe51⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe52⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe53⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe54⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe55⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe56⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe57⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe58⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe59⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe60⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3404 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe64⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe65⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe67⤵PID:1608
-
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe68⤵PID:4408
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe69⤵PID:2116
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe71⤵PID:2232
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe72⤵PID:4380
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe73⤵
- Drops file in System32 directory
PID:620 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe74⤵PID:3520
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe75⤵PID:3844
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe76⤵PID:3024
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe77⤵
- Drops file in System32 directory
PID:588 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe78⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe79⤵PID:1196
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe80⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe81⤵PID:2460
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe82⤵PID:948
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe83⤵PID:2368
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe84⤵PID:1128
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe85⤵PID:3292
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe86⤵PID:1864
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe87⤵PID:4064
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe88⤵PID:2076
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3236 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe90⤵PID:3612
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe91⤵PID:1656
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe92⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe93⤵PID:2808
-
C:\Windows\SysWOW64\Eangpgcl.exeC:\Windows\system32\Eangpgcl.exe94⤵PID:4028
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe95⤵PID:1676
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe96⤵PID:4368
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3628 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe98⤵PID:2680
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe99⤵PID:3208
-
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe100⤵PID:1740
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe101⤵
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe102⤵PID:3088
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe103⤵
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe104⤵PID:3944
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe105⤵PID:2836
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe106⤵PID:5156
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe107⤵PID:5200
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe108⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe109⤵PID:5288
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe110⤵
- Modifies registry class
PID:5332 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe111⤵PID:5376
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe112⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe113⤵PID:5460
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe114⤵PID:5496
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe116⤵PID:5584
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe117⤵PID:5628
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe118⤵PID:5672
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe120⤵PID:5760
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe121⤵PID:5804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-