Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 09:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe
-
Size
96KB
-
MD5
1615a2bd9b0099e3e7308bbfe6027075
-
SHA1
03332af6b8bcc17a06e18530d529ceefa972da90
-
SHA256
a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237
-
SHA512
21f236d1e33bb7ebc15b5d3feee5589116269db4f71a66d52aac3ebae8d7743829a00400429ef2db8a12848ba3c9a161260a6448e678f0fbbeb5fdcce0e619f8
-
SSDEEP
1536:FPMCcME8jQtmu6qYlUD7J5pEQV/k60ayKkHFGqVNySbKUvLO/BOmgCMy0QiLiizd:FsdqQspUXdEQ5k60aynlGqVNdvLO5OmO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khbhdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfpcada.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnenchoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eecfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcggga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkfcigkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adqeaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbjlpga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eepbabjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnjednnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejdhcjpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlhpaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdloelpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icminm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbopm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oinkmdml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkkdhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqgiel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmgmhgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imcqacfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loecgfjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpqlfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaflio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhchc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqmam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdokmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmamba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adjnaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjbfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhplpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcfnqccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjqjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmhhpkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndpcdjho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hodqlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hklglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npgjbabk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiphbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnfglcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcdqhecd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnppfgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omkmhlpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoapcood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbklli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajmgof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flpbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcmqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqkijnkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddihfj.exe -
Executes dropped EXE 64 IoCs
pid Process 1600 Pijcpmhc.exe 3984 Pkholi32.exe 1432 Pcpgmf32.exe 4016 Pmhkflnj.exe 2188 Pcbdcf32.exe 2384 Pecpknke.exe 4776 Pcdqhecd.exe 2368 Peempn32.exe 1248 Pmmeak32.exe 2856 Pbimjb32.exe 5084 Pomncfge.exe 4104 Qifbll32.exe 4976 Qbngeadf.exe 3780 Qkfkng32.exe 1356 Aeopfl32.exe 1344 Apddce32.exe 1076 Abjfqpji.exe 4900 Albkieqj.exe 1948 Bfhofnpp.exe 4484 Bclppboi.exe 5000 Bmddihfj.exe 4640 Bflham32.exe 3448 Bpemkcck.exe 2484 Bfoegm32.exe 4824 Blknpdho.exe 4312 Bedbhi32.exe 5092 Bmkjig32.exe 1044 Cefoni32.exe 524 Clpgkcdj.exe 1064 Cbjogmlf.exe 3304 Cmpcdfll.exe 724 Cfhhml32.exe 1008 Cpqlfa32.exe 3340 Cemeoh32.exe 4396 Cmdmpe32.exe 4844 Cdnelpod.exe 2288 Clijablo.exe 1652 Ddqbbo32.exe 4816 Dpgbgpbe.exe 4880 Dipgpf32.exe 3940 Dbhlikpf.exe 2728 Defheg32.exe 2184 Dlqpaafg.exe 2252 Deidjf32.exe 4712 Didqkeeq.exe 760 Ddjehneg.exe 3964 Dghadidj.exe 3688 Eleimp32.exe 3428 Eennefib.exe 4680 Ecanojgl.exe 4060 Emgblc32.exe 3980 Egpgehnb.exe 2316 Ellpmolj.exe 4444 Ecfhji32.exe 3840 Egbdjhlp.exe 4564 Eippgckc.exe 4376 Elolco32.exe 1276 Edfddl32.exe 4460 Egdqph32.exe 2128 Eibmlc32.exe 4196 Fdhail32.exe 3388 Flcfnn32.exe 2764 Fdjnolfd.exe 4328 Fjgfgbek.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egelgoah.exe Eakdje32.exe File created C:\Windows\SysWOW64\Ncmoej32.dll Lmhnea32.exe File opened for modification C:\Windows\SysWOW64\Mnggnh32.exe Mmfjfp32.exe File created C:\Windows\SysWOW64\Hcfcmnce.exe Hllkqdli.exe File created C:\Windows\SysWOW64\Qidimpef.dll Abdoqd32.exe File opened for modification C:\Windows\SysWOW64\Opgciodi.exe Oinkmdml.exe File opened for modification C:\Windows\SysWOW64\Akkmocjl.exe Apfhajjf.exe File opened for modification C:\Windows\SysWOW64\Ddpjjd32.exe Dnfanjqp.exe File created C:\Windows\SysWOW64\Egeemiml.exe Eqkmpo32.exe File opened for modification C:\Windows\SysWOW64\Hdodeedi.exe Hmdlhk32.exe File created C:\Windows\SysWOW64\Dejhkj32.dll Dghadidj.exe File opened for modification C:\Windows\SysWOW64\Gmnfglcd.exe Gceaofmc.exe File created C:\Windows\SysWOW64\Pqdako32.dll Kkdoje32.exe File created C:\Windows\SysWOW64\Pmipdq32.exe Pkkdhe32.exe File created C:\Windows\SysWOW64\Adbfel32.dll Dklomnmf.exe File created C:\Windows\SysWOW64\Obqopddf.exe Opbcdieb.exe File opened for modification C:\Windows\SysWOW64\Qlpcpffl.exe Qefkcl32.exe File created C:\Windows\SysWOW64\Cjdecfcc.dll Gfodpbpl.exe File created C:\Windows\SysWOW64\Johmahhb.dll Eennefib.exe File created C:\Windows\SysWOW64\Ehifak32.exe Efhjjcpo.exe File created C:\Windows\SysWOW64\Ianfdf32.dll Lpelqj32.exe File opened for modification C:\Windows\SysWOW64\Nhhldc32.exe Nandhi32.exe File created C:\Windows\SysWOW64\Ghbkdald.exe Gbecljnl.exe File created C:\Windows\SysWOW64\Jlcdjfpl.dll Jgdphm32.exe File opened for modification C:\Windows\SysWOW64\Qhekaejj.exe Qffoejkg.exe File created C:\Windows\SysWOW64\Mkdagm32.exe Mieeka32.exe File created C:\Windows\SysWOW64\Nnidcg32.exe Nkkggl32.exe File opened for modification C:\Windows\SysWOW64\Lqdcio32.exe Locgagli.exe File created C:\Windows\SysWOW64\Kqiibcbk.dll Jjpmfpid.exe File created C:\Windows\SysWOW64\Ecblbi32.exe Eqdpfm32.exe File created C:\Windows\SysWOW64\Bechccgd.dll Dlqpaafg.exe File opened for modification C:\Windows\SysWOW64\Nejgbn32.exe Noqofdlj.exe File created C:\Windows\SysWOW64\Epgdch32.exe Eimlgnij.exe File created C:\Windows\SysWOW64\Cgfmol32.dll Kimgba32.exe File created C:\Windows\SysWOW64\Lpjelibg.exe Lagepl32.exe File created C:\Windows\SysWOW64\Fnghjd32.dll Mpenmadn.exe File created C:\Windows\SysWOW64\Pcfhlh32.exe Pllppnnm.exe File created C:\Windows\SysWOW64\Nmeikqpi.dll Haeino32.exe File created C:\Windows\SysWOW64\Aikijjon.exe Agmmnnpj.exe File opened for modification C:\Windows\SysWOW64\Gcfjfqah.exe Gllajf32.exe File created C:\Windows\SysWOW64\Eghdmn32.dll Lmkbeg32.exe File created C:\Windows\SysWOW64\Qipjokik.exe Qbeaba32.exe File created C:\Windows\SysWOW64\Opfjmg32.dll Fqiiamjp.exe File opened for modification C:\Windows\SysWOW64\Ldqfddml.exe Locnlmoe.exe File opened for modification C:\Windows\SysWOW64\Nifnao32.exe Nnpjdfpb.exe File created C:\Windows\SysWOW64\Boohcpgm.exe Blqlgdhi.exe File opened for modification C:\Windows\SysWOW64\Icpecm32.exe Imfmgcdn.exe File created C:\Windows\SysWOW64\Cinpdl32.exe Cqghcn32.exe File created C:\Windows\SysWOW64\Clbcll32.dll Djipbbne.exe File opened for modification C:\Windows\SysWOW64\Kkdoje32.exe Kcfnqccd.exe File created C:\Windows\SysWOW64\Flodilma.exe Fchlhnlo.exe File created C:\Windows\SysWOW64\Daajam32.dll Ggfobofl.exe File opened for modification C:\Windows\SysWOW64\Ldnjndpo.exe Lbpmbipk.exe File created C:\Windows\SysWOW64\Mcolikbl.dll Lnikmjdm.exe File created C:\Windows\SysWOW64\Imdnon32.dll Dpgbgpbe.exe File created C:\Windows\SysWOW64\Mhmcck32.exe Mackfa32.exe File created C:\Windows\SysWOW64\Nolekd32.exe Nhbmnj32.exe File created C:\Windows\SysWOW64\Adkcem32.dll Bfpkbfdi.exe File created C:\Windows\SysWOW64\Eoconenj.exe Ehifak32.exe File opened for modification C:\Windows\SysWOW64\Aeigilml.exe Qlpcpffl.exe File created C:\Windows\SysWOW64\Odcojm32.exe Opgciodi.exe File opened for modification C:\Windows\SysWOW64\Gaccbaeq.exe Flfjjkgi.exe File created C:\Windows\SysWOW64\Cdhcea32.dll Dnekcd32.exe File opened for modification C:\Windows\SysWOW64\Albkieqj.exe Abjfqpji.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10108 9416 WerFault.exe 1112 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfabok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmmkcko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciogobcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpihbjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpfgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhlepkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehklmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipffmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqqek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgfhnpde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpenmadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjednnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdcbiol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobnji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmncif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doidql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naqqmieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcfnqccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpckjlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfjjlgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmejlcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmqapcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdqhecd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpqlfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjnhiiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeomfioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphddlfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clffalkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkilbni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlblcdpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainfpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjogmlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdlmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhiinbdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnljine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeaajpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjoknhbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkigojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngnppfgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjgidfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohilc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlgan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhlijpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgehml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbknhqbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidbgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdlpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeodqocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpmcddi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdfndpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekdolkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgbmffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolaqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqdcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oapllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcjngj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hedhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelkha32.dll" Kmbmdeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfppjh.dll" Fbjjkble.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfhlbmpm.dll" Hfniikha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkmck32.dll" Fhflhcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blqlgdhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lggeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfioj32.dll" Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjcok32.dll" Eglbhnkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fblhbnpk.dll" Gmjcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obddmc32.dll" Geqlhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opbcdieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omkmhlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmiiidk.dll" Ljncnhhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfhgcbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhkecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnpmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdpmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihgnf32.dll" Nnpjdfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopeamfc.dll" Oapllk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeiij32.dll" Eggbbhkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianfdf32.dll" Lpelqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnfanjqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkgdc32.dll" Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmommn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opgloh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgnolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnifj32.dll" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkofofbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpgnmcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjkigojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kddpnpdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncaepc32.dll" Lgnleiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbaqaamj.dll" Mdokmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amqfdcji.dll" Nmpdgdmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbhida32.dll" Jdhpba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofalfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qifbll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deokja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Ceeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjmkqke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Albpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfeigjf.dll" Bpgnmcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoffjidl.dll" Gmdoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpjjpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hohjgpmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alelkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbifd32.dll" Fanbll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pclafhka.dll" Galonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfcccj32.dll" Cmmbmiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docpdpol.dll" Jffokn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gccmaack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paiqjieh.dll" Nfdfoala.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ababkdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipokd32.dll" Kcfnqccd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adohmidb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoepmd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1600 1048 a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe 90 PID 1048 wrote to memory of 1600 1048 a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe 90 PID 1048 wrote to memory of 1600 1048 a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe 90 PID 1600 wrote to memory of 3984 1600 Pijcpmhc.exe 91 PID 1600 wrote to memory of 3984 1600 Pijcpmhc.exe 91 PID 1600 wrote to memory of 3984 1600 Pijcpmhc.exe 91 PID 3984 wrote to memory of 1432 3984 Pkholi32.exe 92 PID 3984 wrote to memory of 1432 3984 Pkholi32.exe 92 PID 3984 wrote to memory of 1432 3984 Pkholi32.exe 92 PID 1432 wrote to memory of 4016 1432 Pcpgmf32.exe 93 PID 1432 wrote to memory of 4016 1432 Pcpgmf32.exe 93 PID 1432 wrote to memory of 4016 1432 Pcpgmf32.exe 93 PID 4016 wrote to memory of 2188 4016 Pmhkflnj.exe 94 PID 4016 wrote to memory of 2188 4016 Pmhkflnj.exe 94 PID 4016 wrote to memory of 2188 4016 Pmhkflnj.exe 94 PID 2188 wrote to memory of 2384 2188 Pcbdcf32.exe 95 PID 2188 wrote to memory of 2384 2188 Pcbdcf32.exe 95 PID 2188 wrote to memory of 2384 2188 Pcbdcf32.exe 95 PID 2384 wrote to memory of 4776 2384 Pecpknke.exe 97 PID 2384 wrote to memory of 4776 2384 Pecpknke.exe 97 PID 2384 wrote to memory of 4776 2384 Pecpknke.exe 97 PID 4776 wrote to memory of 2368 4776 Pcdqhecd.exe 98 PID 4776 wrote to memory of 2368 4776 Pcdqhecd.exe 98 PID 4776 wrote to memory of 2368 4776 Pcdqhecd.exe 98 PID 2368 wrote to memory of 1248 2368 Peempn32.exe 99 PID 2368 wrote to memory of 1248 2368 Peempn32.exe 99 PID 2368 wrote to memory of 1248 2368 Peempn32.exe 99 PID 1248 wrote to memory of 2856 1248 Pmmeak32.exe 100 PID 1248 wrote to memory of 2856 1248 Pmmeak32.exe 100 PID 1248 wrote to memory of 2856 1248 Pmmeak32.exe 100 PID 2856 wrote to memory of 5084 2856 Pbimjb32.exe 102 PID 2856 wrote to memory of 5084 2856 Pbimjb32.exe 102 PID 2856 wrote to memory of 5084 2856 Pbimjb32.exe 102 PID 5084 wrote to memory of 4104 5084 Pomncfge.exe 103 PID 5084 wrote to memory of 4104 5084 Pomncfge.exe 103 PID 5084 wrote to memory of 4104 5084 Pomncfge.exe 103 PID 4104 wrote to memory of 4976 4104 Qifbll32.exe 104 PID 4104 wrote to memory of 4976 4104 Qifbll32.exe 104 PID 4104 wrote to memory of 4976 4104 Qifbll32.exe 104 PID 4976 wrote to memory of 3780 4976 Qbngeadf.exe 105 PID 4976 wrote to memory of 3780 4976 Qbngeadf.exe 105 PID 4976 wrote to memory of 3780 4976 Qbngeadf.exe 105 PID 3780 wrote to memory of 1356 3780 Qkfkng32.exe 106 PID 3780 wrote to memory of 1356 3780 Qkfkng32.exe 106 PID 3780 wrote to memory of 1356 3780 Qkfkng32.exe 106 PID 1356 wrote to memory of 1344 1356 Aeopfl32.exe 108 PID 1356 wrote to memory of 1344 1356 Aeopfl32.exe 108 PID 1356 wrote to memory of 1344 1356 Aeopfl32.exe 108 PID 1344 wrote to memory of 1076 1344 Apddce32.exe 109 PID 1344 wrote to memory of 1076 1344 Apddce32.exe 109 PID 1344 wrote to memory of 1076 1344 Apddce32.exe 109 PID 1076 wrote to memory of 4900 1076 Abjfqpji.exe 110 PID 1076 wrote to memory of 4900 1076 Abjfqpji.exe 110 PID 1076 wrote to memory of 4900 1076 Abjfqpji.exe 110 PID 4900 wrote to memory of 1948 4900 Albkieqj.exe 111 PID 4900 wrote to memory of 1948 4900 Albkieqj.exe 111 PID 4900 wrote to memory of 1948 4900 Albkieqj.exe 111 PID 1948 wrote to memory of 4484 1948 Bfhofnpp.exe 112 PID 1948 wrote to memory of 4484 1948 Bfhofnpp.exe 112 PID 1948 wrote to memory of 4484 1948 Bfhofnpp.exe 112 PID 4484 wrote to memory of 5000 4484 Bclppboi.exe 113 PID 4484 wrote to memory of 5000 4484 Bclppboi.exe 113 PID 4484 wrote to memory of 5000 4484 Bclppboi.exe 113 PID 5000 wrote to memory of 4640 5000 Bmddihfj.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe"C:\Users\Admin\AppData\Local\Temp\a299e729ae94b0c10831afc816352caf3122c1288c83c47e378067e2aa41b237.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Pmhkflnj.exeC:\Windows\system32\Pmhkflnj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Pcdqhecd.exeC:\Windows\system32\Pcdqhecd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Pbimjb32.exeC:\Windows\system32\Pbimjb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Pomncfge.exeC:\Windows\system32\Pomncfge.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Bfhofnpp.exeC:\Windows\system32\Bfhofnpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Bflham32.exeC:\Windows\system32\Bflham32.exe23⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe24⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe25⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe26⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe27⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe28⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe30⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Cmpcdfll.exeC:\Windows\system32\Cmpcdfll.exe32⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe33⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe35⤵
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe36⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe37⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe38⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4816 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe41⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe42⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe45⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe46⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe47⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3964 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe49⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe51⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe52⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe53⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe54⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe55⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe56⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe57⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe58⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe59⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe60⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe61⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe62⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe63⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Fdjnolfd.exeC:\Windows\system32\Fdjnolfd.exe64⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe65⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Fpandm32.exeC:\Windows\system32\Fpandm32.exe66⤵PID:4184
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe67⤵PID:2168
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe68⤵
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe69⤵PID:5136
-
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe70⤵PID:5180
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe71⤵PID:5228
-
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe72⤵PID:5276
-
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe73⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe74⤵PID:5368
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe75⤵PID:5412
-
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe76⤵PID:5456
-
C:\Windows\SysWOW64\Gqmnpk32.exeC:\Windows\system32\Gqmnpk32.exe77⤵PID:5500
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe78⤵PID:5544
-
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe79⤵
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe80⤵PID:5632
-
C:\Windows\SysWOW64\Gflcnanp.exeC:\Windows\system32\Gflcnanp.exe81⤵PID:5676
-
C:\Windows\SysWOW64\Gnckooob.exeC:\Windows\system32\Gnckooob.exe82⤵PID:5724
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe83⤵PID:5768
-
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Hdppaidl.exeC:\Windows\system32\Hdppaidl.exe85⤵PID:5868
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe86⤵PID:5944
-
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe87⤵PID:5988
-
C:\Windows\SysWOW64\Hnhdjn32.exeC:\Windows\system32\Hnhdjn32.exe88⤵PID:6032
-
C:\Windows\SysWOW64\Hcembe32.exeC:\Windows\system32\Hcembe32.exe89⤵PID:6076
-
C:\Windows\SysWOW64\Hfcinq32.exeC:\Windows\system32\Hfcinq32.exe90⤵PID:6120
-
C:\Windows\SysWOW64\Hddilh32.exeC:\Windows\system32\Hddilh32.exe91⤵
- System Location Discovery: System Language Discovery
PID:5152 -
C:\Windows\SysWOW64\Hjabdo32.exeC:\Windows\system32\Hjabdo32.exe92⤵PID:5220
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe93⤵PID:5292
-
C:\Windows\SysWOW64\Hfhbipdb.exeC:\Windows\system32\Hfhbipdb.exe94⤵PID:5356
-
C:\Windows\SysWOW64\Hnokjm32.exeC:\Windows\system32\Hnokjm32.exe95⤵PID:5428
-
C:\Windows\SysWOW64\Ijfkpnji.exeC:\Windows\system32\Ijfkpnji.exe96⤵PID:5488
-
C:\Windows\SysWOW64\Igjlibib.exeC:\Windows\system32\Igjlibib.exe97⤵PID:5584
-
C:\Windows\SysWOW64\Incdem32.exeC:\Windows\system32\Incdem32.exe98⤵PID:5640
-
C:\Windows\SysWOW64\Ienlbf32.exeC:\Windows\system32\Ienlbf32.exe99⤵PID:5708
-
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe100⤵PID:5776
-
C:\Windows\SysWOW64\Iqdmghnp.exeC:\Windows\system32\Iqdmghnp.exe101⤵PID:5848
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe102⤵PID:5956
-
C:\Windows\SysWOW64\Jffokn32.exeC:\Windows\system32\Jffokn32.exe103⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe104⤵PID:6096
-
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe105⤵PID:5144
-
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe106⤵PID:5264
-
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5376 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe108⤵PID:5484
-
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe109⤵PID:2248
-
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe110⤵PID:5580
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe111⤵PID:4860
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe112⤵PID:5756
-
C:\Windows\SysWOW64\Kmncif32.exeC:\Windows\system32\Kmncif32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5832 -
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe114⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Kjbdbjbi.exeC:\Windows\system32\Kjbdbjbi.exe115⤵PID:6136
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe116⤵PID:5268
-
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe117⤵PID:5472
-
C:\Windows\SysWOW64\Knpmhh32.exeC:\Windows\system32\Knpmhh32.exe118⤵PID:3512
-
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe119⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Khhaanop.exeC:\Windows\system32\Khhaanop.exe120⤵PID:5840
-
C:\Windows\SysWOW64\Kmeiie32.exeC:\Windows\system32\Kmeiie32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-