Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 18:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9834d9fd54b5a9439234ee3f78c617d0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9834d9fd54b5a9439234ee3f78c617d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9834d9fd54b5a9439234ee3f78c617d0N.exe
-
Size
85KB
-
MD5
9834d9fd54b5a9439234ee3f78c617d0
-
SHA1
c93a4e0b58b4cf1afc1965b3b0e5b158a1fdd8fe
-
SHA256
a21285258fa522877024c997f9a349b574c65807a0401655463240c2ba5d1830
-
SHA512
e36152bfa96bb98535fbd3c45fd0a3d9f42a87726569f5f50b76906d8246d0438f63342072673198037a24543151cd2a0d8246bab8661febb7e22edc4cd8293c
-
SSDEEP
1536:t5XVtlD3fMqZRMuh1oU6SR2pXKhnAxyTh2LHxMQ262AjCsQ2PCZZrqOlNfVSLUK+:txVtlrfzZRMuh1oU6SRmXKlGyT6HxMQo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfogbjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikdkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkhmoap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnqklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiieicml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljaoeini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jppnpjel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpacqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglmio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilccoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkbfeab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebngial.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfldgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeknk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghekkmn.exe -
Executes dropped EXE 64 IoCs
pid Process 1192 Lldopb32.exe 1176 Lelchgne.exe 544 Llflea32.exe 3152 Lndham32.exe 1476 Lacdmh32.exe 3692 Lhmmjbkf.exe 3172 Mbbagk32.exe 2528 Milidebi.exe 1672 Mniallpq.exe 3732 Mahnhhod.exe 3824 Mhafeb32.exe 2956 Mbgjbkfg.exe 3216 Meefofek.exe 1536 Mhdckaeo.exe 2768 Mbighjdd.exe 3196 Mhfppabl.exe 2456 Mnphmkji.exe 1464 Mejpje32.exe 3268 Njghbl32.exe 4192 Nemmoe32.exe 892 Nlfelogp.exe 2480 Noeahkfc.exe 5092 Neoieenp.exe 4108 Nhmeapmd.exe 428 Nbcjnilj.exe 3228 Nlkngo32.exe 4812 Nojjcj32.exe 4832 Nlnkmnah.exe 2292 Nbgcih32.exe 348 Niakfbpa.exe 2392 Okchnk32.exe 1868 Oehlkc32.exe 1808 Olbdhn32.exe 3332 Oblmdhdo.exe 4464 Oifeab32.exe 672 Oocmii32.exe 2952 Oaajed32.exe 1620 Ohkbbn32.exe 4544 Olgncmim.exe 3132 Obafpg32.exe 100 Ohnohn32.exe 856 Oklkdi32.exe 2196 Oafcqcea.exe 4392 Ohpkmn32.exe 1044 Pkogiikb.exe 4052 Pahpfc32.exe 2248 Piphgq32.exe 4484 Pkadoiip.exe 3884 Pakllc32.exe 4268 Plpqil32.exe 3504 Pcjiff32.exe 4856 Pidabppl.exe 1332 Pkenjh32.exe 3776 Pekbga32.exe 4244 Phincl32.exe 2180 Pocfpf32.exe 3244 Pemomqcn.exe 3988 Qhlkilba.exe 3340 Qkjgegae.exe 2756 Qadoba32.exe 3516 Qhngolpo.exe 3168 Qohpkf32.exe 4828 Qcclld32.exe 2336 Ahqddk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pakllc32.exe Pkadoiip.exe File created C:\Windows\SysWOW64\Pkpmdbfd.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Albpkc32.exe File created C:\Windows\SysWOW64\Ifenan32.dll Jnlkedai.exe File created C:\Windows\SysWOW64\Ljnlecmp.exe Lgpoihnl.exe File opened for modification C:\Windows\SysWOW64\Jihbip32.exe Jaajhb32.exe File created C:\Windows\SysWOW64\Dkjfaikb.dll Objkmkjj.exe File opened for modification C:\Windows\SysWOW64\Cmbgdl32.exe Cigkdmel.exe File created C:\Windows\SysWOW64\Jppadk32.dll Okchnk32.exe File created C:\Windows\SysWOW64\Nenbjo32.exe Nndjndbh.exe File opened for modification C:\Windows\SysWOW64\Monjjgkb.exe Mmpmnl32.exe File opened for modification C:\Windows\SysWOW64\Oblmdhdo.exe Olbdhn32.exe File created C:\Windows\SysWOW64\Dbkjdh32.dll Ahqddk32.exe File opened for modification C:\Windows\SysWOW64\Aaldccip.exe Aonhghjl.exe File created C:\Windows\SysWOW64\Lindkm32.exe Lafmjp32.exe File created C:\Windows\SysWOW64\Fdccbl32.exe Fmikeaap.exe File created C:\Windows\SysWOW64\Pjbcplpe.exe Phcgcqab.exe File opened for modification C:\Windows\SysWOW64\Ddgibkpc.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Bnkbcj32.exe Bklfgo32.exe File created C:\Windows\SysWOW64\Lckiihok.exe Lqmmmmph.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cammjakm.exe File created C:\Windows\SysWOW64\Ihpcinld.exe Ieagmcmq.exe File created C:\Windows\SysWOW64\Ghcfpl32.dll Nblolm32.exe File opened for modification C:\Windows\SysWOW64\Afappe32.exe Apggckbf.exe File created C:\Windows\SysWOW64\Hpabni32.exe Hmbfbn32.exe File created C:\Windows\SysWOW64\Pkbjjbda.exe Phdnngdn.exe File opened for modification C:\Windows\SysWOW64\Dgbanq32.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Bfjkjgbh.dll Efepbi32.exe File created C:\Windows\SysWOW64\Aooold32.dll Lckiihok.exe File created C:\Windows\SysWOW64\Ijilflah.dll Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Ggmmlamj.exe Geoapenf.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gpecbk32.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Bhnikc32.exe File created C:\Windows\SysWOW64\Gpolbo32.exe Giecfejd.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Efafgifc.exe File created C:\Windows\SysWOW64\Dhhdcojj.dll Gingkqkd.exe File created C:\Windows\SysWOW64\Anmfbl32.exe Aknifq32.exe File opened for modification C:\Windows\SysWOW64\Ahdpjn32.exe Adhdjpjf.exe File created C:\Windows\SysWOW64\Qjffpe32.exe Pmbegqjk.exe File opened for modification C:\Windows\SysWOW64\Ohnohn32.exe Obafpg32.exe File created C:\Windows\SysWOW64\Nagpeo32.exe Nmlddqem.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Hifmmb32.exe File created C:\Windows\SysWOW64\Objkmkjj.exe Ocgkan32.exe File created C:\Windows\SysWOW64\Odgpqgeo.dll Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Enigke32.exe Ekkkoj32.exe File created C:\Windows\SysWOW64\Lfmmaj32.dll Gimqajgh.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Pqbala32.exe File created C:\Windows\SysWOW64\Hgdejd32.exe Hpjmnjqn.exe File created C:\Windows\SysWOW64\Ncdmbe32.dll Malpia32.exe File opened for modification C:\Windows\SysWOW64\Oaqbkn32.exe Ojgjndno.exe File created C:\Windows\SysWOW64\Bpcaaeme.dll Ahmjjoig.exe File created C:\Windows\SysWOW64\Mpkcqhdh.dll Doccpcja.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Ekjded32.exe File opened for modification C:\Windows\SysWOW64\Gngeik32.exe Ggmmlamj.exe File created C:\Windows\SysWOW64\Pkbcikkp.dll Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Aomifecf.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Dmeoam32.dll Kkjeomld.exe File created C:\Windows\SysWOW64\Mjaonjaj.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Okchnk32.exe File created C:\Windows\SysWOW64\Cmncbodd.dll Olgncmim.exe File opened for modification C:\Windows\SysWOW64\Fjhacf32.exe Fbajbi32.exe File created C:\Windows\SysWOW64\Gajaoo32.dll Fmikeaap.exe File opened for modification C:\Windows\SysWOW64\Nndjndbh.exe Nlfnaicd.exe File opened for modification C:\Windows\SysWOW64\Qkipkani.exe Qhkdof32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4012 724 WerFault.exe 1009 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcndeen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlofcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giecfejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjffpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqiibjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mledmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgpbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakikoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbiniff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghpbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgdlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopocbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijkdmhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdagpnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkbbmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boenhgdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgqhicg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegpifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkbono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badanigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgdhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbiec32.dll" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpeahb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebcop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahcld32.dll" Igdgglfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domdjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" Nceefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjimhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpidaqmj.dll" Jinboekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddcenpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdcojj.dll" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll" Daeifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpphljo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijqcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgdojhec.dll" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfiedd32.dll" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapfpelh.dll" Klekfinp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbcfhibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbanbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjillkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjjof32.dll" Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgbpaipl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoejj32.dll" Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnclimck.dll" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhelik32.dll" Knqepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lncjlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqjha32.dll" Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjmhg32.dll" Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdcebook.dll" Anclbkbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdhdp32.dll" Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapjhc32.dll" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gppcmeem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hedafk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1308 wrote to memory of 1192 1308 9834d9fd54b5a9439234ee3f78c617d0N.exe 83 PID 1308 wrote to memory of 1192 1308 9834d9fd54b5a9439234ee3f78c617d0N.exe 83 PID 1308 wrote to memory of 1192 1308 9834d9fd54b5a9439234ee3f78c617d0N.exe 83 PID 1192 wrote to memory of 1176 1192 Lldopb32.exe 84 PID 1192 wrote to memory of 1176 1192 Lldopb32.exe 84 PID 1192 wrote to memory of 1176 1192 Lldopb32.exe 84 PID 1176 wrote to memory of 544 1176 Lelchgne.exe 86 PID 1176 wrote to memory of 544 1176 Lelchgne.exe 86 PID 1176 wrote to memory of 544 1176 Lelchgne.exe 86 PID 544 wrote to memory of 3152 544 Llflea32.exe 87 PID 544 wrote to memory of 3152 544 Llflea32.exe 87 PID 544 wrote to memory of 3152 544 Llflea32.exe 87 PID 3152 wrote to memory of 1476 3152 Lndham32.exe 88 PID 3152 wrote to memory of 1476 3152 Lndham32.exe 88 PID 3152 wrote to memory of 1476 3152 Lndham32.exe 88 PID 1476 wrote to memory of 3692 1476 Lacdmh32.exe 89 PID 1476 wrote to memory of 3692 1476 Lacdmh32.exe 89 PID 1476 wrote to memory of 3692 1476 Lacdmh32.exe 89 PID 3692 wrote to memory of 3172 3692 Lhmmjbkf.exe 90 PID 3692 wrote to memory of 3172 3692 Lhmmjbkf.exe 90 PID 3692 wrote to memory of 3172 3692 Lhmmjbkf.exe 90 PID 3172 wrote to memory of 2528 3172 Mbbagk32.exe 92 PID 3172 wrote to memory of 2528 3172 Mbbagk32.exe 92 PID 3172 wrote to memory of 2528 3172 Mbbagk32.exe 92 PID 2528 wrote to memory of 1672 2528 Milidebi.exe 93 PID 2528 wrote to memory of 1672 2528 Milidebi.exe 93 PID 2528 wrote to memory of 1672 2528 Milidebi.exe 93 PID 1672 wrote to memory of 3732 1672 Mniallpq.exe 94 PID 1672 wrote to memory of 3732 1672 Mniallpq.exe 94 PID 1672 wrote to memory of 3732 1672 Mniallpq.exe 94 PID 3732 wrote to memory of 3824 3732 Mahnhhod.exe 95 PID 3732 wrote to memory of 3824 3732 Mahnhhod.exe 95 PID 3732 wrote to memory of 3824 3732 Mahnhhod.exe 95 PID 3824 wrote to memory of 2956 3824 Mhafeb32.exe 96 PID 3824 wrote to memory of 2956 3824 Mhafeb32.exe 96 PID 3824 wrote to memory of 2956 3824 Mhafeb32.exe 96 PID 2956 wrote to memory of 3216 2956 Mbgjbkfg.exe 97 PID 2956 wrote to memory of 3216 2956 Mbgjbkfg.exe 97 PID 2956 wrote to memory of 3216 2956 Mbgjbkfg.exe 97 PID 3216 wrote to memory of 1536 3216 Meefofek.exe 98 PID 3216 wrote to memory of 1536 3216 Meefofek.exe 98 PID 3216 wrote to memory of 1536 3216 Meefofek.exe 98 PID 1536 wrote to memory of 2768 1536 Mhdckaeo.exe 100 PID 1536 wrote to memory of 2768 1536 Mhdckaeo.exe 100 PID 1536 wrote to memory of 2768 1536 Mhdckaeo.exe 100 PID 2768 wrote to memory of 3196 2768 Mbighjdd.exe 101 PID 2768 wrote to memory of 3196 2768 Mbighjdd.exe 101 PID 2768 wrote to memory of 3196 2768 Mbighjdd.exe 101 PID 3196 wrote to memory of 2456 3196 Mhfppabl.exe 102 PID 3196 wrote to memory of 2456 3196 Mhfppabl.exe 102 PID 3196 wrote to memory of 2456 3196 Mhfppabl.exe 102 PID 2456 wrote to memory of 1464 2456 Mnphmkji.exe 103 PID 2456 wrote to memory of 1464 2456 Mnphmkji.exe 103 PID 2456 wrote to memory of 1464 2456 Mnphmkji.exe 103 PID 1464 wrote to memory of 3268 1464 Mejpje32.exe 104 PID 1464 wrote to memory of 3268 1464 Mejpje32.exe 104 PID 1464 wrote to memory of 3268 1464 Mejpje32.exe 104 PID 3268 wrote to memory of 4192 3268 Njghbl32.exe 105 PID 3268 wrote to memory of 4192 3268 Njghbl32.exe 105 PID 3268 wrote to memory of 4192 3268 Njghbl32.exe 105 PID 4192 wrote to memory of 892 4192 Nemmoe32.exe 106 PID 4192 wrote to memory of 892 4192 Nemmoe32.exe 106 PID 4192 wrote to memory of 892 4192 Nemmoe32.exe 106 PID 892 wrote to memory of 2480 892 Nlfelogp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9834d9fd54b5a9439234ee3f78c617d0N.exe"C:\Users\Admin\AppData\Local\Temp\9834d9fd54b5a9439234ee3f78c617d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe23⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe24⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe25⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe26⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe27⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe28⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe29⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe30⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe31⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe33⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe36⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe38⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe39⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe42⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe43⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe44⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe45⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe46⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe47⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe50⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe51⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe52⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe53⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe54⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe56⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe57⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe58⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe60⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe62⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe66⤵PID:4028
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe67⤵PID:3544
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe68⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe69⤵PID:4588
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe70⤵PID:5040
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe71⤵PID:4764
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe72⤵PID:412
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe73⤵PID:1644
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe74⤵PID:1596
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe75⤵PID:2408
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe76⤵PID:4188
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe78⤵PID:3948
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe80⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe81⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe82⤵PID:2092
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe83⤵PID:1204
-
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe84⤵PID:4460
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe85⤵PID:2876
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe86⤵PID:2276
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe87⤵PID:556
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe88⤵
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe89⤵PID:4060
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe90⤵PID:2300
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe91⤵
- Modifies registry class
PID:4888 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe92⤵PID:4524
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4492 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe94⤵PID:3232
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe95⤵PID:876
-
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe96⤵PID:968
-
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe97⤵PID:4040
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3436 -
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe99⤵PID:1692
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe100⤵PID:528
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe101⤵PID:1584
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe102⤵PID:3688
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe103⤵PID:5020
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe104⤵PID:1404
-
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe105⤵PID:3820
-
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe106⤵PID:4496
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe107⤵PID:3320
-
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe108⤵PID:1240
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe111⤵PID:5216
-
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe112⤵PID:5260
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe115⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe116⤵PID:5436
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5480 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe118⤵PID:5524
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe119⤵PID:5568
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe120⤵PID:5616
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe121⤵
- Drops file in System32 directory
PID:5660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-