Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 03:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4d34fc1fa96ef49266bdbcbff4ae420N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
b4d34fc1fa96ef49266bdbcbff4ae420N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b4d34fc1fa96ef49266bdbcbff4ae420N.exe
-
Size
414KB
-
MD5
b4d34fc1fa96ef49266bdbcbff4ae420
-
SHA1
b6d83ae26bec8a7104c02c1026512f787aa5e99a
-
SHA256
d148a9facb5b04cb8d01aa8e3d4ec6f02b87a1bc630b5dfa6535a2f1791a761d
-
SHA512
8e08deafb3addee87a2ec837c4a75b3df7e3146c55fdd0b63413c46b23b4b0c3050af032f6524e6f88010fe61fb01ddbfa48f3ef6ae75cc6854bfe70c8a37fad
-
SSDEEP
12288:X2eho3VKedOGeKTaPkY660fIaDZkY660ffL:G13VKedOGeKTaPgsaDZgTL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blqllqqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdjeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhdjpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbchdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkaobnio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdjbiheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidphgcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphbnoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgcjddh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjbbfgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdialdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijqmhnko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbicpfdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbchdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoclopne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okgaijaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hibafp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhkbfme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbdhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddligq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad b4d34fc1fa96ef49266bdbcbff4ae420N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igigla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjgaoqm.exe -
Executes dropped EXE 64 IoCs
pid Process 4208 Jgenbfoa.exe 2896 Jjdjoane.exe 4024 Kbmoen32.exe 3252 Kgjgne32.exe 2720 Kkhpdcab.exe 4256 Knflpoqf.exe 512 Kjmmepfj.exe 116 Kageaj32.exe 220 Liqihglg.exe 4440 Lnnbqnjn.exe 3000 Lalnmiia.exe 3176 Lbkkgl32.exe 3540 Laqhhi32.exe 2336 Ljilqnlm.exe 2300 Lacdmh32.exe 2444 Mngegmbc.exe 736 Mhoipb32.exe 3960 Mlmbfqoj.exe 3340 Meefofek.exe 2400 Mnnkgl32.exe 3524 Micoed32.exe 4492 Maodigil.exe 4804 Nbnpcj32.exe 3116 Nihipdhl.exe 2696 Nbqmiinl.exe 1440 Neoieenp.exe 3556 Nafjjf32.exe 4216 Nhpbfpka.exe 1112 Nbefdijg.exe 424 Nkqkhk32.exe 3948 Nbgcih32.exe 2368 Nlphbnoe.exe 3404 Oondnini.exe 2080 Olbdhn32.exe 1792 Oblmdhdo.exe 2240 Oekiqccc.exe 3380 Oldamm32.exe 3228 Okgaijaj.exe 4816 Oboijgbl.exe 2076 Oihagaji.exe 4576 Olgncmim.exe 3840 Ooejohhq.exe 3736 Oadfkdgd.exe 3980 Ohnohn32.exe 2284 Oklkdi32.exe 4800 Oeaoab32.exe 3100 Ohpkmn32.exe 3292 Pkogiikb.exe 3260 Pedlgbkh.exe 4848 Phbhcmjl.exe 3384 Polppg32.exe 4184 Pakllc32.exe 4152 Phedhmhi.exe 4596 Phganm32.exe 2000 Papfgbmg.exe 464 Pifnhpmi.exe 3608 Pkhjph32.exe 8 Pcobaedj.exe 2088 Pemomqcn.exe 1888 Qkjgegae.exe 632 Qcaofebg.exe 2820 Qepkbpak.exe 4896 Qhngolpo.exe 4072 Qohpkf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgagea32.dll Njjdho32.exe File created C:\Windows\SysWOW64\Bpkdjofm.exe Boihcf32.exe File created C:\Windows\SysWOW64\Ockbnedp.dll Papfgbmg.exe File created C:\Windows\SysWOW64\Hgddbm32.dll Alqjpi32.exe File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe Lggldm32.exe File created C:\Windows\SysWOW64\Eiahnnph.exe Eoideh32.exe File opened for modification C:\Windows\SysWOW64\Jghpbk32.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Nondlbmd.dll Bjicdmmd.exe File opened for modification C:\Windows\SysWOW64\Hgdejd32.exe Hdehni32.exe File created C:\Windows\SysWOW64\Ijqmhnko.exe Iphioh32.exe File created C:\Windows\SysWOW64\Fenghpla.dll Enbjad32.exe File created C:\Windows\SysWOW64\Lccahg32.dll Jjlmclqa.exe File created C:\Windows\SysWOW64\Poimpapp.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Iidphgcn.exe Ioolkncg.exe File created C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Nafjjf32.exe Neoieenp.exe File opened for modification C:\Windows\SysWOW64\Oklkdi32.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Dkdliame.exe Dfgcakon.exe File created C:\Windows\SysWOW64\Cmiogmig.dll Fdccbl32.exe File created C:\Windows\SysWOW64\Jbnffffp.dll Oelolmnd.exe File created C:\Windows\SysWOW64\Bhpfqcln.exe Bnkbcj32.exe File created C:\Windows\SysWOW64\Mfchlbfd.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Bjlpjm32.exe Boflmdkk.exe File opened for modification C:\Windows\SysWOW64\Gbdoof32.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Neqopnhb.exe Naecop32.exe File created C:\Windows\SysWOW64\Nlphbnoe.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jnelok32.exe File created C:\Windows\SysWOW64\Kcndbp32.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Lcgpni32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Hildmn32.exe File created C:\Windows\SysWOW64\Plbfdekd.exe Pdkoch32.exe File created C:\Windows\SysWOW64\Aqmiic32.dll Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Qhngolpo.exe Qepkbpak.exe File opened for modification C:\Windows\SysWOW64\Ddnfmqng.exe Dbpjaeoc.exe File created C:\Windows\SysWOW64\Iohmnmmb.dll Agimkk32.exe File opened for modification C:\Windows\SysWOW64\Knooej32.exe Kkpbin32.exe File created C:\Windows\SysWOW64\Jkiocibf.dll Lgccinoe.exe File created C:\Windows\SysWOW64\Abklmb32.dll Chnbbqpn.exe File opened for modification C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Qaflgago.exe Qohpkf32.exe File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Kglmio32.exe Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Qdaniq32.exe Qacameaj.exe File created C:\Windows\SysWOW64\Bkgeainn.exe Bdmmeo32.exe File created C:\Windows\SysWOW64\Bpfkpp32.exe Bmhocd32.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Cnfkdb32.exe File created C:\Windows\SysWOW64\Gajaoo32.dll Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Gpcfmkff.exe Gbofcghl.exe File created C:\Windows\SysWOW64\Iggjga32.exe Ipmbjgpi.exe File created C:\Windows\SysWOW64\Llgmeiqa.dll Mkohaj32.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fmfgek32.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Mcpcdg32.exe File created C:\Windows\SysWOW64\Jbofpe32.dll Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Omqmop32.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Ipoheakj.exe File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Chiblk32.exe Caojpaij.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nabfjpak.exe File opened for modification C:\Windows\SysWOW64\Amjillkj.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Hhjamhbn.dll Ddnfmqng.exe File opened for modification C:\Windows\SysWOW64\Ojajin32.exe Ocgbld32.exe File opened for modification C:\Windows\SysWOW64\Lnnbqnjn.exe Liqihglg.exe File opened for modification C:\Windows\SysWOW64\Jjlmclqa.exe Jgnqgqan.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12612 12476 WerFault.exe 652 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfihkqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiigadc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boihcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpiplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmkiclm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phganm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bombmcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfami32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qacameaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoalgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnomjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgddbm32.dll" Alqjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgjlnfh.dll" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjqjajoe.dll" Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbiado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcmimpk.dll" Elgaeolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Aonoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll" Dbicpfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fedbbjgh.dll" Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcelpggq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Nmlddqem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckmehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oobfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgpecj32.dll" Kflide32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhgag32.dll" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll" Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpphb32.dll" Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Ecgcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmqnobn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meefofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpdhkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckjbhmad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkchlonc.dll" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Ckhecmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll" Cnhgjaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiag32.dll" Oldamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjpnpd32.dll" Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jilfifme.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4132 wrote to memory of 4208 4132 b4d34fc1fa96ef49266bdbcbff4ae420N.exe 83 PID 4132 wrote to memory of 4208 4132 b4d34fc1fa96ef49266bdbcbff4ae420N.exe 83 PID 4132 wrote to memory of 4208 4132 b4d34fc1fa96ef49266bdbcbff4ae420N.exe 83 PID 4208 wrote to memory of 2896 4208 Jgenbfoa.exe 84 PID 4208 wrote to memory of 2896 4208 Jgenbfoa.exe 84 PID 4208 wrote to memory of 2896 4208 Jgenbfoa.exe 84 PID 2896 wrote to memory of 4024 2896 Jjdjoane.exe 85 PID 2896 wrote to memory of 4024 2896 Jjdjoane.exe 85 PID 2896 wrote to memory of 4024 2896 Jjdjoane.exe 85 PID 4024 wrote to memory of 3252 4024 Kbmoen32.exe 87 PID 4024 wrote to memory of 3252 4024 Kbmoen32.exe 87 PID 4024 wrote to memory of 3252 4024 Kbmoen32.exe 87 PID 3252 wrote to memory of 2720 3252 Kgjgne32.exe 89 PID 3252 wrote to memory of 2720 3252 Kgjgne32.exe 89 PID 3252 wrote to memory of 2720 3252 Kgjgne32.exe 89 PID 2720 wrote to memory of 4256 2720 Kkhpdcab.exe 90 PID 2720 wrote to memory of 4256 2720 Kkhpdcab.exe 90 PID 2720 wrote to memory of 4256 2720 Kkhpdcab.exe 90 PID 4256 wrote to memory of 512 4256 Knflpoqf.exe 91 PID 4256 wrote to memory of 512 4256 Knflpoqf.exe 91 PID 4256 wrote to memory of 512 4256 Knflpoqf.exe 91 PID 512 wrote to memory of 116 512 Kjmmepfj.exe 92 PID 512 wrote to memory of 116 512 Kjmmepfj.exe 92 PID 512 wrote to memory of 116 512 Kjmmepfj.exe 92 PID 116 wrote to memory of 220 116 Kageaj32.exe 94 PID 116 wrote to memory of 220 116 Kageaj32.exe 94 PID 116 wrote to memory of 220 116 Kageaj32.exe 94 PID 220 wrote to memory of 4440 220 Liqihglg.exe 95 PID 220 wrote to memory of 4440 220 Liqihglg.exe 95 PID 220 wrote to memory of 4440 220 Liqihglg.exe 95 PID 4440 wrote to memory of 3000 4440 Lnnbqnjn.exe 96 PID 4440 wrote to memory of 3000 4440 Lnnbqnjn.exe 96 PID 4440 wrote to memory of 3000 4440 Lnnbqnjn.exe 96 PID 3000 wrote to memory of 3176 3000 Lalnmiia.exe 97 PID 3000 wrote to memory of 3176 3000 Lalnmiia.exe 97 PID 3000 wrote to memory of 3176 3000 Lalnmiia.exe 97 PID 3176 wrote to memory of 3540 3176 Lbkkgl32.exe 98 PID 3176 wrote to memory of 3540 3176 Lbkkgl32.exe 98 PID 3176 wrote to memory of 3540 3176 Lbkkgl32.exe 98 PID 3540 wrote to memory of 2336 3540 Laqhhi32.exe 99 PID 3540 wrote to memory of 2336 3540 Laqhhi32.exe 99 PID 3540 wrote to memory of 2336 3540 Laqhhi32.exe 99 PID 2336 wrote to memory of 2300 2336 Ljilqnlm.exe 100 PID 2336 wrote to memory of 2300 2336 Ljilqnlm.exe 100 PID 2336 wrote to memory of 2300 2336 Ljilqnlm.exe 100 PID 2300 wrote to memory of 2444 2300 Lacdmh32.exe 101 PID 2300 wrote to memory of 2444 2300 Lacdmh32.exe 101 PID 2300 wrote to memory of 2444 2300 Lacdmh32.exe 101 PID 2444 wrote to memory of 736 2444 Mngegmbc.exe 102 PID 2444 wrote to memory of 736 2444 Mngegmbc.exe 102 PID 2444 wrote to memory of 736 2444 Mngegmbc.exe 102 PID 736 wrote to memory of 3960 736 Mhoipb32.exe 103 PID 736 wrote to memory of 3960 736 Mhoipb32.exe 103 PID 736 wrote to memory of 3960 736 Mhoipb32.exe 103 PID 3960 wrote to memory of 3340 3960 Mlmbfqoj.exe 104 PID 3960 wrote to memory of 3340 3960 Mlmbfqoj.exe 104 PID 3960 wrote to memory of 3340 3960 Mlmbfqoj.exe 104 PID 3340 wrote to memory of 2400 3340 Meefofek.exe 105 PID 3340 wrote to memory of 2400 3340 Meefofek.exe 105 PID 3340 wrote to memory of 2400 3340 Meefofek.exe 105 PID 2400 wrote to memory of 3524 2400 Mnnkgl32.exe 106 PID 2400 wrote to memory of 3524 2400 Mnnkgl32.exe 106 PID 2400 wrote to memory of 3524 2400 Mnnkgl32.exe 106 PID 3524 wrote to memory of 4492 3524 Micoed32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4d34fc1fa96ef49266bdbcbff4ae420N.exe"C:\Users\Admin\AppData\Local\Temp\b4d34fc1fa96ef49266bdbcbff4ae420N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe23⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Nihipdhl.exeC:\Windows\system32\Nihipdhl.exe25⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe26⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe28⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe29⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe30⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe31⤵
- Executes dropped EXE
PID:424 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe34⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe37⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe40⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe42⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe43⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe44⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3980 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe46⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe47⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe48⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe49⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe50⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe51⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Polppg32.exeC:\Windows\system32\Polppg32.exe52⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe54⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe57⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe59⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe62⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe64⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4072 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe66⤵PID:444
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe67⤵PID:4428
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe68⤵PID:3224
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe69⤵PID:4976
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe70⤵PID:2308
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4524 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe73⤵PID:604
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe74⤵PID:3264
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe75⤵PID:4224
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe76⤵
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe77⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe78⤵PID:4268
-
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe79⤵PID:3336
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe80⤵PID:4020
-
C:\Windows\SysWOW64\Bbiado32.exeC:\Windows\system32\Bbiado32.exe81⤵
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe82⤵
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe83⤵PID:3460
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe84⤵PID:2704
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe85⤵PID:1836
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe86⤵PID:4600
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe87⤵PID:4876
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe88⤵
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe89⤵PID:5180
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe90⤵PID:5224
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe91⤵PID:5268
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe92⤵PID:5312
-
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe93⤵
- Modifies registry class
PID:5352 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe95⤵PID:5444
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe96⤵PID:5488
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe97⤵PID:5532
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe98⤵PID:5576
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe100⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe102⤵PID:5752
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe104⤵PID:5844
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe105⤵PID:5888
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe106⤵PID:5932
-
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe107⤵PID:5976
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe108⤵PID:6020
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe109⤵PID:6072
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe110⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe111⤵
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe112⤵PID:5240
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe113⤵PID:5304
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe114⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe115⤵PID:5460
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe116⤵PID:5520
-
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe117⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe118⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5740 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe120⤵PID:5808
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe121⤵PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-