Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe
Resource
win10v2004-20240802-en
General
-
Target
afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe
-
Size
128KB
-
MD5
87ce0a1f1ef16e1bf3493c0f61faf790
-
SHA1
cdb302746ab0090f9e29b989d889fefcdde6102c
-
SHA256
afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6
-
SHA512
b1e00d049f0b24b440a38be249c4de2c6c461d8cee7d48299892e1eeba547df567377a9272092b329a3b96dfb652b5413fc0c8f4e3c5a64580ed0b29c957b5d8
-
SSDEEP
3072:vih84blzDg1FKENH3/QSm85seAl7DxSvITW/cbFGS9n:sblzDuFKk3/QSv5nA5hCw9n
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklphekp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abfdpfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okedcjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlbkap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgkkkcbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkobmnka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppikbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqpamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakbehfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idkkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgmpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbfcigf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkchelci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmmbbejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeplijj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgalmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqcejcha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhkmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fganqbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlpjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpnakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paoollik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egkddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdkdibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okedcjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjohde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkimho32.exe -
Executes dropped EXE 64 IoCs
pid Process 4504 Ijhjcchb.exe 4804 Iqbbpm32.exe 4168 Jhijqj32.exe 2396 Jbaojpgb.exe 2588 Jdpkflfe.exe 4780 Jjmcnbdm.exe 5080 Jqglkmlj.exe 2884 Jklphekp.exe 3196 Jbfheo32.exe 244 Jdedak32.exe 1188 Jjamia32.exe 920 Jqlefl32.exe 2080 Jjdjoane.exe 1520 Kqnbkl32.exe 4980 Kkcfid32.exe 3320 Kqpoakco.exe 3956 Kjhcjq32.exe 4144 Kbpkkn32.exe 3324 Kkhpdcab.exe 1676 Knflpoqf.exe 3912 Keqdmihc.exe 3744 Kgopidgf.exe 3108 Kageaj32.exe 3152 Kinmcg32.exe 3424 Kkmioc32.exe 1140 Kjpijpdg.exe 4764 Lbgalmej.exe 2292 Lalnmiia.exe 3252 Lbkkgl32.exe 4588 Lnbklm32.exe 668 Llflea32.exe 3716 Lacdmh32.exe 3524 Mbbagk32.exe 3584 Mjneln32.exe 1092 Miofjepg.exe 3936 Majjng32.exe 4464 Mlpokp32.exe 3684 Mbighjdd.exe 4736 Mlbkap32.exe 4900 Maodigil.exe 4396 Njghbl32.exe 3856 Naaqofgj.exe 3732 Nhkikq32.exe 3164 Nbqmiinl.exe 912 Neoieenp.exe 5064 Nklbmllg.exe 2816 Nafjjf32.exe 1808 Nlkngo32.exe 2892 Nknobkje.exe 4548 Niooqcad.exe 1452 Nkqkhk32.exe 2252 Najceeoo.exe 1200 Nlphbnoe.exe 5072 Oondnini.exe 2416 Oehlkc32.exe 4020 Okedcjcm.exe 1512 Ooqqdi32.exe 2820 Oifeab32.exe 3880 Okgaijaj.exe 4776 Oboijgbl.exe 4324 Ohkbbn32.exe 4940 Okjnnj32.exe 4016 Oadfkdgd.exe 60 Oiknlagg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hibafp32.exe Hgdejd32.exe File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe Hkfglb32.exe File opened for modification C:\Windows\SysWOW64\Icnklbmj.exe Idkkpf32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Iliinc32.exe File created C:\Windows\SysWOW64\Jofill32.dll Gdjibj32.exe File opened for modification C:\Windows\SysWOW64\Gmdcfidg.exe Gihgfk32.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Njjmni32.exe Ncpeaoih.exe File opened for modification C:\Windows\SysWOW64\Cienon32.exe Cgfbbb32.exe File created C:\Windows\SysWOW64\Amcpgoem.dll Lplfcf32.exe File opened for modification C:\Windows\SysWOW64\Nblolm32.exe Momcpa32.exe File created C:\Windows\SysWOW64\Neoogc32.dll afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe File created C:\Windows\SysWOW64\Nknobkje.exe Nlkngo32.exe File created C:\Windows\SysWOW64\Ilccoh32.exe Ijegcm32.exe File created C:\Windows\SysWOW64\Bdkohe32.dll Mkhapk32.exe File opened for modification C:\Windows\SysWOW64\Cdecgbfa.exe Cfbcke32.exe File created C:\Windows\SysWOW64\Chbfoaba.dll Hbenoi32.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Adgmoigj.exe File opened for modification C:\Windows\SysWOW64\Bipecnkd.exe Bbfmgd32.exe File created C:\Windows\SysWOW64\Bgmakofh.dll Eppqqn32.exe File created C:\Windows\SysWOW64\Npdpachh.dll Deqcbpld.exe File opened for modification C:\Windows\SysWOW64\Jljbeali.exe Jngbjd32.exe File created C:\Windows\SysWOW64\Nbjnhape.dll Hhimhobl.exe File created C:\Windows\SysWOW64\Mablfnne.exe Mledmg32.exe File created C:\Windows\SysWOW64\Lfgnho32.dll Pciqnk32.exe File opened for modification C:\Windows\SysWOW64\Cjgpfk32.exe Cobkhb32.exe File opened for modification C:\Windows\SysWOW64\Hmnmgnoh.exe Hibafp32.exe File created C:\Windows\SysWOW64\Bldqfd32.dll Omcjep32.exe File created C:\Windows\SysWOW64\Fqehjpfj.dll Ebdcld32.exe File created C:\Windows\SysWOW64\Qacameaj.exe Qfmmplad.exe File created C:\Windows\SysWOW64\Hnnljj32.exe Hpkknmgd.exe File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Jpnakk32.exe File created C:\Windows\SysWOW64\Flmlag32.dll Jaonbc32.exe File created C:\Windows\SysWOW64\Ckilmcgb.exe Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Ieccbbkn.exe Ibegfglj.exe File opened for modification C:\Windows\SysWOW64\Fjmfmh32.exe Process not Found File created C:\Windows\SysWOW64\Igdnabjh.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Knalji32.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Mkjnfkma.exe Mgobel32.exe File created C:\Windows\SysWOW64\Jkdgfllg.dll Bdbnjdfg.exe File created C:\Windows\SysWOW64\Chfhllkp.dll Hbhboolf.exe File created C:\Windows\SysWOW64\Gejhef32.exe Gnpphljo.exe File opened for modification C:\Windows\SysWOW64\Oeokal32.exe Omgcpokp.exe File opened for modification C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File created C:\Windows\SysWOW64\Kkmioc32.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Aeheme32.dll Pcobaedj.exe File created C:\Windows\SysWOW64\Kdpmbc32.exe Kqdaadln.exe File created C:\Windows\SysWOW64\Joicekop.dll Lkeekk32.exe File opened for modification C:\Windows\SysWOW64\Mgclpkac.exe Mchppmij.exe File opened for modification C:\Windows\SysWOW64\Nlhkgi32.exe Nhmofj32.exe File created C:\Windows\SysWOW64\Jibclo32.dll Fqbliicp.exe File created C:\Windows\SysWOW64\Fniihmpf.exe Feqeog32.exe File opened for modification C:\Windows\SysWOW64\Gnpphljo.exe Gicgpelg.exe File created C:\Windows\SysWOW64\Ejhfdb32.dll Kolabf32.exe File created C:\Windows\SysWOW64\Bgnpek32.dll Lhqefjpo.exe File opened for modification C:\Windows\SysWOW64\Pkadoiip.exe Piphgq32.exe File created C:\Windows\SysWOW64\Bfdhdp32.dll Cmflbf32.exe File created C:\Windows\SysWOW64\Gckdpj32.dll Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Ggahedjn.exe Gbfldf32.exe File opened for modification C:\Windows\SysWOW64\Hbhboolf.exe Hpiecd32.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Klahfp32.exe File created C:\Windows\SysWOW64\Bljlpjaf.dll Bpfkpp32.exe File created C:\Windows\SysWOW64\Cgpfqchb.dll Jeocna32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3140 5532 Process not Found 1135 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqlfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjjhdjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcikejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbdjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efepbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djegekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeocna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbepme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjbiheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapehop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkggfkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niojoeel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknobkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgcfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcalieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deqcbpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgbdbqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqnbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmoohbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmlla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldcjeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldicpljn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bklomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcfgpga.dll" Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngdb32.dll" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Pplobcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahqoq32.dll" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqfpckhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfglfdkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclbolkk.dll" Jdpkflfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbiockdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnbeeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbghcbm.dll" Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghghj32.dll" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Lgjijmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jofalmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlkfbocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpaleglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blickdlj.dll" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll" Dnngpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mokfja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efhlhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Odoogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoclopne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abfdpfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4336 wrote to memory of 4504 4336 afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe 82 PID 4336 wrote to memory of 4504 4336 afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe 82 PID 4336 wrote to memory of 4504 4336 afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe 82 PID 4504 wrote to memory of 4804 4504 Ijhjcchb.exe 83 PID 4504 wrote to memory of 4804 4504 Ijhjcchb.exe 83 PID 4504 wrote to memory of 4804 4504 Ijhjcchb.exe 83 PID 4804 wrote to memory of 4168 4804 Iqbbpm32.exe 84 PID 4804 wrote to memory of 4168 4804 Iqbbpm32.exe 84 PID 4804 wrote to memory of 4168 4804 Iqbbpm32.exe 84 PID 4168 wrote to memory of 2396 4168 Jhijqj32.exe 85 PID 4168 wrote to memory of 2396 4168 Jhijqj32.exe 85 PID 4168 wrote to memory of 2396 4168 Jhijqj32.exe 85 PID 2396 wrote to memory of 2588 2396 Jbaojpgb.exe 86 PID 2396 wrote to memory of 2588 2396 Jbaojpgb.exe 86 PID 2396 wrote to memory of 2588 2396 Jbaojpgb.exe 86 PID 2588 wrote to memory of 4780 2588 Jdpkflfe.exe 87 PID 2588 wrote to memory of 4780 2588 Jdpkflfe.exe 87 PID 2588 wrote to memory of 4780 2588 Jdpkflfe.exe 87 PID 4780 wrote to memory of 5080 4780 Jjmcnbdm.exe 88 PID 4780 wrote to memory of 5080 4780 Jjmcnbdm.exe 88 PID 4780 wrote to memory of 5080 4780 Jjmcnbdm.exe 88 PID 5080 wrote to memory of 2884 5080 Jqglkmlj.exe 89 PID 5080 wrote to memory of 2884 5080 Jqglkmlj.exe 89 PID 5080 wrote to memory of 2884 5080 Jqglkmlj.exe 89 PID 2884 wrote to memory of 3196 2884 Jklphekp.exe 90 PID 2884 wrote to memory of 3196 2884 Jklphekp.exe 90 PID 2884 wrote to memory of 3196 2884 Jklphekp.exe 90 PID 3196 wrote to memory of 244 3196 Jbfheo32.exe 91 PID 3196 wrote to memory of 244 3196 Jbfheo32.exe 91 PID 3196 wrote to memory of 244 3196 Jbfheo32.exe 91 PID 244 wrote to memory of 1188 244 Jdedak32.exe 92 PID 244 wrote to memory of 1188 244 Jdedak32.exe 92 PID 244 wrote to memory of 1188 244 Jdedak32.exe 92 PID 1188 wrote to memory of 920 1188 Jjamia32.exe 93 PID 1188 wrote to memory of 920 1188 Jjamia32.exe 93 PID 1188 wrote to memory of 920 1188 Jjamia32.exe 93 PID 920 wrote to memory of 2080 920 Jqlefl32.exe 94 PID 920 wrote to memory of 2080 920 Jqlefl32.exe 94 PID 920 wrote to memory of 2080 920 Jqlefl32.exe 94 PID 2080 wrote to memory of 1520 2080 Jjdjoane.exe 95 PID 2080 wrote to memory of 1520 2080 Jjdjoane.exe 95 PID 2080 wrote to memory of 1520 2080 Jjdjoane.exe 95 PID 1520 wrote to memory of 4980 1520 Kqnbkl32.exe 96 PID 1520 wrote to memory of 4980 1520 Kqnbkl32.exe 96 PID 1520 wrote to memory of 4980 1520 Kqnbkl32.exe 96 PID 4980 wrote to memory of 3320 4980 Kkcfid32.exe 97 PID 4980 wrote to memory of 3320 4980 Kkcfid32.exe 97 PID 4980 wrote to memory of 3320 4980 Kkcfid32.exe 97 PID 3320 wrote to memory of 3956 3320 Kqpoakco.exe 98 PID 3320 wrote to memory of 3956 3320 Kqpoakco.exe 98 PID 3320 wrote to memory of 3956 3320 Kqpoakco.exe 98 PID 3956 wrote to memory of 4144 3956 Kjhcjq32.exe 99 PID 3956 wrote to memory of 4144 3956 Kjhcjq32.exe 99 PID 3956 wrote to memory of 4144 3956 Kjhcjq32.exe 99 PID 4144 wrote to memory of 3324 4144 Kbpkkn32.exe 100 PID 4144 wrote to memory of 3324 4144 Kbpkkn32.exe 100 PID 4144 wrote to memory of 3324 4144 Kbpkkn32.exe 100 PID 3324 wrote to memory of 1676 3324 Kkhpdcab.exe 101 PID 3324 wrote to memory of 1676 3324 Kkhpdcab.exe 101 PID 3324 wrote to memory of 1676 3324 Kkhpdcab.exe 101 PID 1676 wrote to memory of 3912 1676 Knflpoqf.exe 102 PID 1676 wrote to memory of 3912 1676 Knflpoqf.exe 102 PID 1676 wrote to memory of 3912 1676 Knflpoqf.exe 102 PID 3912 wrote to memory of 3744 3912 Keqdmihc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe"C:\Users\Admin\AppData\Local\Temp\afa4a141088f4836c23790faff6a6359fadb0b659c4057e408f19070e08740b6N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jbfheo32.exeC:\Windows\system32\Jbfheo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe23⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe24⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe26⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4764 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe29⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe30⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe31⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe32⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe33⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe34⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe35⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe36⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe38⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe39⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe41⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe42⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe44⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe45⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe46⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe48⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe51⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe52⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe53⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe54⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe55⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe56⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe58⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe59⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe60⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe61⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe62⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe63⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe64⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe65⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe66⤵PID:3132
-
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe67⤵PID:1012
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe68⤵PID:2540
-
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe69⤵PID:3236
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe70⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe71⤵PID:5008
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe72⤵PID:516
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe73⤵PID:1276
-
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe74⤵PID:1068
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe75⤵PID:4156
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe76⤵PID:2744
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe77⤵PID:4532
-
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe78⤵PID:2996
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe79⤵PID:5048
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe80⤵
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe81⤵PID:2676
-
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe82⤵
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe83⤵PID:1540
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe84⤵PID:5104
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe85⤵PID:3908
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe86⤵PID:1600
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe87⤵PID:2152
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe88⤵PID:3748
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe89⤵PID:1888
-
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe90⤵PID:4760
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe91⤵PID:4732
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe92⤵PID:4412
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe93⤵PID:4176
-
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe94⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe95⤵PID:5028
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe96⤵PID:3416
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe97⤵PID:2660
-
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe98⤵PID:1172
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe99⤵PID:2300
-
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe100⤵PID:4920
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe102⤵PID:3116
-
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe103⤵PID:4768
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe104⤵PID:2600
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe105⤵PID:3092
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe106⤵PID:1796
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe107⤵PID:572
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe108⤵PID:816
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe109⤵PID:1580
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe110⤵PID:3448
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe111⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe112⤵PID:2492
-
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe113⤵PID:848
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe116⤵PID:64
-
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe117⤵
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe118⤵PID:3168
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe119⤵
- Drops file in System32 directory
PID:3432 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe120⤵PID:5020
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe121⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-