Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 23:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe
-
Size
59KB
-
MD5
fc419c26d104cd8a0b862d83bdf54cf0
-
SHA1
966f9efba96c81c94476223a3bc74db6e814c80a
-
SHA256
ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60
-
SHA512
bb7ecfa5da8b4e6abb06cc9add75e5ad9a3858c0815f8e212d2d421024e01abcca383bd78e242eef005d444555c80f5277da485f1492255c50b6061f55734420
-
SSDEEP
1536:YohELnh5duVoW1wjGsjuuuZq45Vrcy2LtO:DELnfdUPKjGsjuuuZq43retO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgjglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnboma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiilblom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbalhho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqqek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbapoqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alelkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qelcamcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omkdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecialmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nakhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehcfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilfldoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngifef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Decmjjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gknkkmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpdidol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiodha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apqhldjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkpdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbnqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolfmcbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elolco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmhphqoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhpjbgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlbfmjqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmplbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabdlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpagc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qckbggad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kleiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpibke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekapfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaqhf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqeihbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkamdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpbgajc.exe -
Executes dropped EXE 64 IoCs
pid Process 4216 Ddfbgelh.exe 4592 Dkpjdo32.exe 1056 Dnngpj32.exe 1860 Dckoia32.exe 3836 Dnqcfjae.exe 1244 Ddklbd32.exe 2776 Djgdkk32.exe 2372 Ddmhhd32.exe 1980 Egkddo32.exe 3536 Eaaiahei.exe 968 Ecbeip32.exe 4868 Ejlnfjbd.exe 2764 Edaaccbj.exe 1128 Ejojljqa.exe 3008 Eddnic32.exe 1028 Enlcahgh.exe 1572 Ekqckmfb.exe 5080 Fnalmh32.exe 4240 Fdkdibjp.exe 3012 Fgiaemic.exe 4060 Fjhmbihg.exe 3520 Fqbeoc32.exe 1844 Fcpakn32.exe 2552 Fjjjgh32.exe 2044 Fqdbdbna.exe 3208 Fdpnda32.exe 3724 Fkjfakng.exe 4676 Fnhbmgmk.exe 4020 Fdbkja32.exe 2920 Fjocbhbo.exe 3320 Fbfkceca.exe 1504 Gcghkm32.exe 3344 Gjcmngnj.exe 3388 Gdiakp32.exe 2148 Gnaecedp.exe 1400 Gcnnllcg.exe 3692 Gglfbkin.exe 2568 Hepgkohh.exe 3132 Hgocgjgk.exe 2452 Hjmodffo.exe 984 Hcedmkmp.exe 3124 Hnkhjdle.exe 3136 Hjaioe32.exe 4772 Hegmlnbp.exe 2056 Hnpaec32.exe 2864 Hghfnioq.exe 4256 Ielfgmnj.exe 4932 Iabglnco.exe 5028 Infhebbh.exe 4188 Ieqpbm32.exe 4228 Ijmhkchl.exe 1524 Iecmhlhb.exe 4432 Ihaidhgf.exe 5104 Iajmmm32.exe 4652 Ihceigec.exe 4412 Jaljbmkd.exe 2020 Jlanpfkj.exe 1140 Janghmia.exe 3772 Jldkeeig.exe 688 Jaqcnl32.exe 3644 Jdopjh32.exe 1444 Jnedgq32.exe 4816 Jhmhpfmi.exe 1332 Jbbmmo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kdjhkp32.exe Knmpbi32.exe File opened for modification C:\Windows\SysWOW64\Ggicbe32.exe Gnanioad.exe File opened for modification C:\Windows\SysWOW64\Mdcmnfop.exe Maeaajpl.exe File created C:\Windows\SysWOW64\Dhglhbni.dll Foenplji.exe File created C:\Windows\SysWOW64\Djhiglji.exe Ddkpoelb.exe File created C:\Windows\SysWOW64\Ojglddfj.dll Janghmia.exe File opened for modification C:\Windows\SysWOW64\Pohnnqgo.exe Pgaelcgm.exe File created C:\Windows\SysWOW64\Dmkcpdao.exe Dpgbgpbe.exe File opened for modification C:\Windows\SysWOW64\Ddnmeejo.exe Dqbadf32.exe File created C:\Windows\SysWOW64\Hhbnqi32.exe Hahedoci.exe File created C:\Windows\SysWOW64\Nndnocba.dll Process not Found File created C:\Windows\SysWOW64\Fkjhae32.dll Qciebg32.exe File opened for modification C:\Windows\SysWOW64\Pbddobla.exe Pcbdcf32.exe File created C:\Windows\SysWOW64\Iedbcebd.exe Iaifbg32.exe File created C:\Windows\SysWOW64\Jeojbmkh.dll Maaoaa32.exe File created C:\Windows\SysWOW64\Pjahchpb.exe Pddokabk.exe File created C:\Windows\SysWOW64\Mbkfcabb.exe Process not Found File created C:\Windows\SysWOW64\Lchfjc32.dll Okmpqjad.exe File created C:\Windows\SysWOW64\Jqiejphh.dll Mihikgod.exe File opened for modification C:\Windows\SysWOW64\Hlfcqh32.exe Helkdnaj.exe File opened for modification C:\Windows\SysWOW64\Ngaabfio.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nkghqo32.exe Nhhldc32.exe File created C:\Windows\SysWOW64\Hdffah32.exe Hnmnengg.exe File opened for modification C:\Windows\SysWOW64\Ofhcdlgg.exe Okcogc32.exe File created C:\Windows\SysWOW64\Abgcqjhp.exe Akmjdpac.exe File created C:\Windows\SysWOW64\Cfgace32.exe Cnpibh32.exe File created C:\Windows\SysWOW64\Fjhiogqh.dll Mbnjcg32.exe File created C:\Windows\SysWOW64\Pmfldkei.exe Pfmdgq32.exe File opened for modification C:\Windows\SysWOW64\Mqimdomb.exe Process not Found File created C:\Windows\SysWOW64\Pkabbgol.exe Piceflpi.exe File created C:\Windows\SysWOW64\Bfnafolo.dll Mgkjch32.exe File created C:\Windows\SysWOW64\Dqdgop32.exe Process not Found File created C:\Windows\SysWOW64\Loniiflo.exe Lhdqml32.exe File created C:\Windows\SysWOW64\Kmadhp32.dll Bnoiqd32.exe File opened for modification C:\Windows\SysWOW64\Dfqogfjo.exe Process not Found File created C:\Windows\SysWOW64\Ifckkhfi.exe Icdoolge.exe File opened for modification C:\Windows\SysWOW64\Jgekdq32.exe Jcjodbgl.exe File created C:\Windows\SysWOW64\Fikihlmj.exe Fgmllpng.exe File created C:\Windows\SysWOW64\Kfpqap32.exe Kmhlijpm.exe File created C:\Windows\SysWOW64\Mhaofb32.dll Ddkpoelb.exe File created C:\Windows\SysWOW64\Qecnjaee.dll Cifdjg32.exe File created C:\Windows\SysWOW64\Famhnjcj.dll Mbkmngfn.exe File opened for modification C:\Windows\SysWOW64\Fhalcm32.exe Emlgedge.exe File created C:\Windows\SysWOW64\Pecpknke.exe Pbddobla.exe File created C:\Windows\SysWOW64\Imbmlk32.dll Qpmfklbq.exe File opened for modification C:\Windows\SysWOW64\Eflocepa.exe Process not Found File created C:\Windows\SysWOW64\Fooqlnoa.dll Leoejh32.exe File opened for modification C:\Windows\SysWOW64\Pgknlg32.exe Pboblika.exe File created C:\Windows\SysWOW64\Ehbihj32.exe Efampahd.exe File created C:\Windows\SysWOW64\Dbehienn.exe Dojlhg32.exe File created C:\Windows\SysWOW64\Lbpmbipk.exe Lhgiic32.exe File created C:\Windows\SysWOW64\Imiagi32.exe Ifoijonj.exe File created C:\Windows\SysWOW64\Pmgcoaie.exe Pkigbfja.exe File created C:\Windows\SysWOW64\Embdofop.exe Egelgoah.exe File created C:\Windows\SysWOW64\Qhhgib32.dll Process not Found File created C:\Windows\SysWOW64\Djmjmleo.dll Laeoec32.exe File created C:\Windows\SysWOW64\Bhpjjc32.dll Nffceq32.exe File created C:\Windows\SysWOW64\Himgjbii.exe Hccomh32.exe File opened for modification C:\Windows\SysWOW64\Ldqfddml.exe Lfnfhg32.exe File opened for modification C:\Windows\SysWOW64\Kklkej32.exe Process not Found File created C:\Windows\SysWOW64\Cdnchk32.dll Hlogfd32.exe File opened for modification C:\Windows\SysWOW64\Golcak32.exe Ghbkdald.exe File created C:\Windows\SysWOW64\Bhgnka32.dll Ijigfaol.exe File created C:\Windows\SysWOW64\Cfglahbj.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 11676 10688 Process not Found 1289 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfkng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhaanop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amibqhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgmkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoekde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najjmjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Focakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnihnmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcgdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddklbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeekag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbiphhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodjcnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakkplbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgnmcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nconfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbfmjqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jginej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgadake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmbkipk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfemmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckeokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicjokll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfohbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmnengg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemgkpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqmplbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejbaqgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolfmcbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfjfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjhpqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhalcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfgfpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akmjdpac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppbejka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piikhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoakaip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghfnioq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piceflpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkigbfja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgbdmfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjocbhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmlkfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeijqqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmjgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamcmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flghognq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihndgmdd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odejmglm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnbapjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccaagm32.dll" Cgbfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfola32.dll" Hhbnqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qomghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejglcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhmcdfq.dll" Dnqcfjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll" Cdjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfdca32.dll" Iedbcebd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmfqngcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladhkmno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejanihcl.dll" Cnhlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdaif32.dll" Fkehdnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjeklfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjeggme.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqgoo32.dll" Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nahdapae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblkajh.dll" Abdfkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bngfli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jginej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiobbgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iofpnhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piifjomf.dll" Bcbeqaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfghlhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjagh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiiombp.dll" Dekapfke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjlkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnlnaiq.dll" Enpknplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjfhbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elaobdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gknkkmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himgjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkplho.dll" Ppoijn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnhacn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkakhakq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghqeihbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbklkdg.dll" Ljephmgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cekhihig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poknopjk.dll" Ihmnldib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifghmae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" Fqdbdbna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkanj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcdjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqfcbahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nipokfil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagchmne.dll" Jelhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkmpjb32.dll" Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aochga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll" Obidcdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albkieqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknkkci.dll" Ohobebig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfioj32.dll" Kaihonhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midoph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgfff32.dll" Kfdcbiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genmbb32.dll" Alelkf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4216 2836 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 87 PID 2836 wrote to memory of 4216 2836 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 87 PID 2836 wrote to memory of 4216 2836 ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe 87 PID 4216 wrote to memory of 4592 4216 Ddfbgelh.exe 88 PID 4216 wrote to memory of 4592 4216 Ddfbgelh.exe 88 PID 4216 wrote to memory of 4592 4216 Ddfbgelh.exe 88 PID 4592 wrote to memory of 1056 4592 Dkpjdo32.exe 89 PID 4592 wrote to memory of 1056 4592 Dkpjdo32.exe 89 PID 4592 wrote to memory of 1056 4592 Dkpjdo32.exe 89 PID 1056 wrote to memory of 1860 1056 Dnngpj32.exe 90 PID 1056 wrote to memory of 1860 1056 Dnngpj32.exe 90 PID 1056 wrote to memory of 1860 1056 Dnngpj32.exe 90 PID 1860 wrote to memory of 3836 1860 Dckoia32.exe 91 PID 1860 wrote to memory of 3836 1860 Dckoia32.exe 91 PID 1860 wrote to memory of 3836 1860 Dckoia32.exe 91 PID 3836 wrote to memory of 1244 3836 Dnqcfjae.exe 92 PID 3836 wrote to memory of 1244 3836 Dnqcfjae.exe 92 PID 3836 wrote to memory of 1244 3836 Dnqcfjae.exe 92 PID 1244 wrote to memory of 2776 1244 Ddklbd32.exe 93 PID 1244 wrote to memory of 2776 1244 Ddklbd32.exe 93 PID 1244 wrote to memory of 2776 1244 Ddklbd32.exe 93 PID 2776 wrote to memory of 2372 2776 Djgdkk32.exe 94 PID 2776 wrote to memory of 2372 2776 Djgdkk32.exe 94 PID 2776 wrote to memory of 2372 2776 Djgdkk32.exe 94 PID 2372 wrote to memory of 1980 2372 Ddmhhd32.exe 95 PID 2372 wrote to memory of 1980 2372 Ddmhhd32.exe 95 PID 2372 wrote to memory of 1980 2372 Ddmhhd32.exe 95 PID 1980 wrote to memory of 3536 1980 Egkddo32.exe 96 PID 1980 wrote to memory of 3536 1980 Egkddo32.exe 96 PID 1980 wrote to memory of 3536 1980 Egkddo32.exe 96 PID 3536 wrote to memory of 968 3536 Eaaiahei.exe 97 PID 3536 wrote to memory of 968 3536 Eaaiahei.exe 97 PID 3536 wrote to memory of 968 3536 Eaaiahei.exe 97 PID 968 wrote to memory of 4868 968 Ecbeip32.exe 98 PID 968 wrote to memory of 4868 968 Ecbeip32.exe 98 PID 968 wrote to memory of 4868 968 Ecbeip32.exe 98 PID 4868 wrote to memory of 2764 4868 Ejlnfjbd.exe 99 PID 4868 wrote to memory of 2764 4868 Ejlnfjbd.exe 99 PID 4868 wrote to memory of 2764 4868 Ejlnfjbd.exe 99 PID 2764 wrote to memory of 1128 2764 Edaaccbj.exe 100 PID 2764 wrote to memory of 1128 2764 Edaaccbj.exe 100 PID 2764 wrote to memory of 1128 2764 Edaaccbj.exe 100 PID 1128 wrote to memory of 3008 1128 Ejojljqa.exe 101 PID 1128 wrote to memory of 3008 1128 Ejojljqa.exe 101 PID 1128 wrote to memory of 3008 1128 Ejojljqa.exe 101 PID 3008 wrote to memory of 1028 3008 Eddnic32.exe 102 PID 3008 wrote to memory of 1028 3008 Eddnic32.exe 102 PID 3008 wrote to memory of 1028 3008 Eddnic32.exe 102 PID 1028 wrote to memory of 1572 1028 Enlcahgh.exe 103 PID 1028 wrote to memory of 1572 1028 Enlcahgh.exe 103 PID 1028 wrote to memory of 1572 1028 Enlcahgh.exe 103 PID 1572 wrote to memory of 5080 1572 Ekqckmfb.exe 104 PID 1572 wrote to memory of 5080 1572 Ekqckmfb.exe 104 PID 1572 wrote to memory of 5080 1572 Ekqckmfb.exe 104 PID 5080 wrote to memory of 4240 5080 Fnalmh32.exe 105 PID 5080 wrote to memory of 4240 5080 Fnalmh32.exe 105 PID 5080 wrote to memory of 4240 5080 Fnalmh32.exe 105 PID 4240 wrote to memory of 3012 4240 Fdkdibjp.exe 106 PID 4240 wrote to memory of 3012 4240 Fdkdibjp.exe 106 PID 4240 wrote to memory of 3012 4240 Fdkdibjp.exe 106 PID 3012 wrote to memory of 4060 3012 Fgiaemic.exe 107 PID 3012 wrote to memory of 4060 3012 Fgiaemic.exe 107 PID 3012 wrote to memory of 4060 3012 Fgiaemic.exe 107 PID 4060 wrote to memory of 3520 4060 Fjhmbihg.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe"C:\Users\Admin\AppData\Local\Temp\ab27847c64a758c94d8cbdc62ef1c499916b10fae27a1cf2e892b2297cdb4c60N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Dkpjdo32.exeC:\Windows\system32\Dkpjdo32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Eaaiahei.exeC:\Windows\system32\Eaaiahei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Edaaccbj.exeC:\Windows\system32\Edaaccbj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Fdkdibjp.exeC:\Windows\system32\Fdkdibjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe23⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe24⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe25⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe27⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe28⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe29⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe30⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Fjocbhbo.exeC:\Windows\system32\Fjocbhbo.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe32⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe33⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe34⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe35⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe36⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe37⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gglfbkin.exeC:\Windows\system32\Gglfbkin.exe38⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Hepgkohh.exeC:\Windows\system32\Hepgkohh.exe39⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe40⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe41⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe42⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe43⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe45⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe48⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe49⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe50⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe51⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Ijmhkchl.exeC:\Windows\system32\Ijmhkchl.exe52⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe53⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe54⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe55⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe56⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe57⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe58⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe60⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Jaqcnl32.exeC:\Windows\system32\Jaqcnl32.exe61⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe62⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Jnedgq32.exeC:\Windows\system32\Jnedgq32.exe63⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe64⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe65⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Jeaiij32.exeC:\Windows\system32\Jeaiij32.exe66⤵PID:4144
-
C:\Windows\SysWOW64\Koimbpbc.exeC:\Windows\system32\Koimbpbc.exe67⤵PID:5076
-
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe68⤵PID:1668
-
C:\Windows\SysWOW64\Kkpnga32.exeC:\Windows\system32\Kkpnga32.exe69⤵PID:2844
-
C:\Windows\SysWOW64\Kefbdjgm.exeC:\Windows\system32\Kefbdjgm.exe70⤵PID:5064
-
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe71⤵PID:4584
-
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe72⤵PID:1448
-
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe73⤵PID:2436
-
C:\Windows\SysWOW64\Kaopoj32.exeC:\Windows\system32\Kaopoj32.exe74⤵PID:1500
-
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe75⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe76⤵PID:4360
-
C:\Windows\SysWOW64\Kaaldjil.exeC:\Windows\system32\Kaaldjil.exe77⤵PID:4968
-
C:\Windows\SysWOW64\Khkdad32.exeC:\Windows\system32\Khkdad32.exe78⤵PID:3528
-
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe79⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SysWOW64\Logicn32.exeC:\Windows\system32\Logicn32.exe80⤵PID:3004
-
C:\Windows\SysWOW64\Laffpi32.exeC:\Windows\system32\Laffpi32.exe81⤵PID:5012
-
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe82⤵PID:4764
-
C:\Windows\SysWOW64\Llkjmb32.exeC:\Windows\system32\Llkjmb32.exe83⤵PID:4736
-
C:\Windows\SysWOW64\Ldfoad32.exeC:\Windows\system32\Ldfoad32.exe84⤵PID:4628
-
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe85⤵PID:5016
-
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe86⤵PID:4420
-
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe87⤵PID:4812
-
C:\Windows\SysWOW64\Maoifh32.exeC:\Windows\system32\Maoifh32.exe88⤵PID:4648
-
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe89⤵PID:5132
-
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe91⤵PID:5220
-
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe92⤵PID:5264
-
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe93⤵PID:5316
-
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe94⤵PID:5360
-
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe95⤵PID:5404
-
C:\Windows\SysWOW64\Mddkbbfg.exeC:\Windows\system32\Mddkbbfg.exe96⤵PID:5448
-
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe97⤵PID:5492
-
C:\Windows\SysWOW64\Medglemj.exeC:\Windows\system32\Medglemj.exe98⤵PID:5536
-
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe99⤵PID:5580
-
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe100⤵PID:5624
-
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe102⤵PID:5720
-
C:\Windows\SysWOW64\Nkcmjlio.exeC:\Windows\system32\Nkcmjlio.exe103⤵PID:5764
-
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe104⤵PID:5808
-
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe105⤵PID:5868
-
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe106⤵PID:5924
-
C:\Windows\SysWOW64\Ndnnianm.exeC:\Windows\system32\Ndnnianm.exe107⤵PID:5980
-
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe108⤵
- System Location Discovery: System Language Discovery
PID:6024 -
C:\Windows\SysWOW64\Nfnjbdep.exeC:\Windows\system32\Nfnjbdep.exe109⤵PID:6068
-
C:\Windows\SysWOW64\Nkjckkcg.exeC:\Windows\system32\Nkjckkcg.exe110⤵PID:6112
-
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe111⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe112⤵PID:5188
-
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe113⤵PID:5272
-
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe114⤵
- Modifies registry class
PID:5344 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe115⤵PID:5432
-
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe116⤵PID:5480
-
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe117⤵PID:5548
-
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe118⤵PID:5620
-
C:\Windows\SysWOW64\Oooaah32.exeC:\Windows\system32\Oooaah32.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe120⤵PID:5772
-
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe121⤵PID:5860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-