Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe
-
Size
93KB
-
MD5
a579b377f57eedb017fa40d15a2c1de2
-
SHA1
ef1fc01cd0ab773793ca8dcaa117326473ad8115
-
SHA256
da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e
-
SHA512
618e0dab2bb7950b1e9c2763d6b656c1859bb41c899beeab9b9aa038f5a92d849e66ece71b1d8cee231f20c2048f8f637357a14a47684a7d0ffd3d4777e3fa07
-
SSDEEP
1536:QGDlA6L4zCSiJ9qSvEpd55GARILh7yYrmACnCBoS76/sRQQRkRLJzeLD9N0iQGR4:HdL4zCSi/JWRGARIl7yYrdPeQSJdEN0/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llbidimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqlfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifleoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eidlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlklkgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amlogfel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fikbocki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdkifmjq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabomkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkchelci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofaiokl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelfmaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qaalblgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhgmmbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgnffj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnmopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cocacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alnfpcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plejdkmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahippdbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nknobkje.exe -
Executes dropped EXE 64 IoCs
pid Process 4028 Igjeanmj.exe 4916 Ioambknl.exe 4824 Ifleoe32.exe 2884 Ienekbld.exe 2852 Jkhngl32.exe 2648 Jngjch32.exe 1792 Jbbfdfkn.exe 2344 Jeqbpb32.exe 840 Jgonlm32.exe 2104 Joffnk32.exe 324 Jbdbjf32.exe 244 Jecofa32.exe 464 Jiokfpph.exe 3508 Jkmgblok.exe 4316 Jnkcogno.exe 432 Jfbkpd32.exe 3676 Jiaglp32.exe 788 Jgdhgmep.exe 3664 Jpkphjeb.exe 1936 Jbileede.exe 5072 Jehhaaci.exe 1168 Jblijebc.exe 1736 Jieagojp.exe 3956 Kldmckic.exe 1464 Knbiofhg.exe 3844 Kbnepe32.exe 4876 Kelalp32.exe 1156 Kpbfii32.exe 2016 Keonap32.exe 736 Kijjbofj.exe 4620 Klifnj32.exe 2248 Kngcje32.exe 2532 Kfnkkb32.exe 5116 Khpgckkb.exe 3332 Kpgodhkd.exe 4852 Kbekqdjh.exe 4720 Kechmoil.exe 2156 Klmpiiai.exe 4436 Knlleepl.exe 4012 Kbghfc32.exe 3144 Kefdbo32.exe 2640 Lhdqnj32.exe 1236 Lnnikdnj.exe 2032 Lbjelc32.exe 4808 Lehaho32.exe 1940 Lhfmdj32.exe 1964 Llbidimc.exe 3220 Lnqeqd32.exe 436 Lfhnaa32.exe 3184 Lejnmncd.exe 1628 Lhijijbg.exe 2028 Lppbkgcj.exe 1164 Lbnngbbn.exe 3208 Lemkcnaa.exe 2316 Lhkgoiqe.exe 2576 Llgcph32.exe 4732 Loeolc32.exe 2132 Lbqklb32.exe 2772 Leoghn32.exe 4488 Likcilhh.exe 3128 Lhncdi32.exe 1516 Lpekef32.exe 1984 Loglacfo.exe 3600 Lfodbqfa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pcicklnn.exe Pedbahod.exe File created C:\Windows\SysWOW64\Bilqdmae.dll Cfcqpa32.exe File created C:\Windows\SysWOW64\Ccmgiaig.exe Cobkhb32.exe File opened for modification C:\Windows\SysWOW64\Eblpgjha.exe Elbhjp32.exe File created C:\Windows\SysWOW64\Flmqlg32.exe Fiodpl32.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Ilnbicff.exe Igajal32.exe File created C:\Windows\SysWOW64\Kohmng32.dll Ocdjpmac.exe File opened for modification C:\Windows\SysWOW64\Ngmpcn32.exe Noehba32.exe File created C:\Windows\SysWOW64\Qklmpalf.exe Qhmqdemc.exe File created C:\Windows\SysWOW64\Jpaekqhh.exe Jmbhoeid.exe File opened for modification C:\Windows\SysWOW64\Cdimqm32.exe Bajqda32.exe File created C:\Windows\SysWOW64\Nhqihllh.dll Jfbkpd32.exe File opened for modification C:\Windows\SysWOW64\Pcjiff32.exe Pkcadhgm.exe File created C:\Windows\SysWOW64\Npbblbdb.dll Dmalne32.exe File created C:\Windows\SysWOW64\Oklfllgp.dll Phodcg32.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Hfcnpn32.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Bgpgng32.exe Biogppeg.exe File created C:\Windows\SysWOW64\Bcghch32.exe Biadeoce.exe File created C:\Windows\SysWOW64\Hpgiggmj.dll Hglaej32.exe File created C:\Windows\SysWOW64\Dndnpf32.exe Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Kdohmibo.dll Llgcph32.exe File created C:\Windows\SysWOW64\Ekojppef.dll Hjlkge32.exe File created C:\Windows\SysWOW64\Afkknogn.exe Aoabad32.exe File opened for modification C:\Windows\SysWOW64\Gkhkjd32.exe Gdobnj32.exe File opened for modification C:\Windows\SysWOW64\Nmgjia32.exe Nndjndbh.exe File created C:\Windows\SysWOW64\Aphblj32.dll Bomkcm32.exe File created C:\Windows\SysWOW64\Gafian32.dll Pckppl32.exe File created C:\Windows\SysWOW64\Knhebpni.dll Pojcjh32.exe File created C:\Windows\SysWOW64\Khoana32.dll Nlkgmh32.exe File created C:\Windows\SysWOW64\Hlepcdoa.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Ekoglqie.dll Klfaapbl.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Ncjginjn.exe File created C:\Windows\SysWOW64\Dfokdq32.dll Hkpheidp.exe File created C:\Windows\SysWOW64\Lfifmo32.dll Dfjpfj32.exe File created C:\Windows\SysWOW64\Jcoong32.dll Elbhjp32.exe File created C:\Windows\SysWOW64\Jjjpnlbd.exe Jcphab32.exe File opened for modification C:\Windows\SysWOW64\Oohnonij.exe Opemca32.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Fibhpbea.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Kaofbcjo.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Jljbeali.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Gahffo32.dll Qadoba32.exe File created C:\Windows\SysWOW64\Ehqkihfg.dll Ncabfkqo.exe File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Lncjlq32.exe File created C:\Windows\SysWOW64\Nnojho32.exe Mgeakekd.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Bdfpkm32.exe File created C:\Windows\SysWOW64\Henjapmn.dll Gilapgqb.exe File created C:\Windows\SysWOW64\Nhbolp32.exe Neccpd32.exe File created C:\Windows\SysWOW64\Mlofpg32.dll Jdaaaeqg.exe File opened for modification C:\Windows\SysWOW64\Aahbbkaq.exe Aojefobm.exe File opened for modification C:\Windows\SysWOW64\Kodnmkap.exe Kpanan32.exe File created C:\Windows\SysWOW64\Fdllgpbm.dll Lncjlq32.exe File created C:\Windows\SysWOW64\Nfjola32.exe Nnojho32.exe File created C:\Windows\SysWOW64\Pogppn32.dll Mblkhq32.exe File opened for modification C:\Windows\SysWOW64\Gmeakf32.exe Ghhhcomg.exe File created C:\Windows\SysWOW64\Ijhjcchb.exe Igjngh32.exe File created C:\Windows\SysWOW64\Egjoqncg.dll Ahenokjf.exe File opened for modification C:\Windows\SysWOW64\Dmalne32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Ffmfchle.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fligqhga.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5532 6692 WerFault.exe 1049 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijjbofj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcekpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphbnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkqjmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbfii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdqnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgeakekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajhndkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbohigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaqbbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqnbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbognp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljaccjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkokgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqpamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieagojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcqnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebjcajjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejbfmpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkmckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhijijbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djklmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkpma32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokmlmhl.dll" Hlcjhkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdabh32.dll" Kcbnnpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgifbhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahqoq32.dll" Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hlepcdoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfbkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Camddhoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hekgfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoonaj32.dll" Igjeanmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nomncpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokkdnic.dll" Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llgcph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iljpij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbjoeojc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnqeqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfifmo32.dll" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ojgjndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdpaeehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbelcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boenhgdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jecofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll" Nimbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qljcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djhimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnech32.dll" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jblijebc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbcqiope.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camfoh32.dll" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahohdla.dll" Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbopqlen.dll" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeccjdie.dll" Klhnfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jeqbpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbnepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddgibkpc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 4028 1740 da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe 82 PID 1740 wrote to memory of 4028 1740 da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe 82 PID 1740 wrote to memory of 4028 1740 da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe 82 PID 4028 wrote to memory of 4916 4028 Igjeanmj.exe 83 PID 4028 wrote to memory of 4916 4028 Igjeanmj.exe 83 PID 4028 wrote to memory of 4916 4028 Igjeanmj.exe 83 PID 4916 wrote to memory of 4824 4916 Ioambknl.exe 84 PID 4916 wrote to memory of 4824 4916 Ioambknl.exe 84 PID 4916 wrote to memory of 4824 4916 Ioambknl.exe 84 PID 4824 wrote to memory of 2884 4824 Ifleoe32.exe 85 PID 4824 wrote to memory of 2884 4824 Ifleoe32.exe 85 PID 4824 wrote to memory of 2884 4824 Ifleoe32.exe 85 PID 2884 wrote to memory of 2852 2884 Ienekbld.exe 86 PID 2884 wrote to memory of 2852 2884 Ienekbld.exe 86 PID 2884 wrote to memory of 2852 2884 Ienekbld.exe 86 PID 2852 wrote to memory of 2648 2852 Jkhngl32.exe 87 PID 2852 wrote to memory of 2648 2852 Jkhngl32.exe 87 PID 2852 wrote to memory of 2648 2852 Jkhngl32.exe 87 PID 2648 wrote to memory of 1792 2648 Jngjch32.exe 88 PID 2648 wrote to memory of 1792 2648 Jngjch32.exe 88 PID 2648 wrote to memory of 1792 2648 Jngjch32.exe 88 PID 1792 wrote to memory of 2344 1792 Jbbfdfkn.exe 89 PID 1792 wrote to memory of 2344 1792 Jbbfdfkn.exe 89 PID 1792 wrote to memory of 2344 1792 Jbbfdfkn.exe 89 PID 2344 wrote to memory of 840 2344 Jeqbpb32.exe 90 PID 2344 wrote to memory of 840 2344 Jeqbpb32.exe 90 PID 2344 wrote to memory of 840 2344 Jeqbpb32.exe 90 PID 840 wrote to memory of 2104 840 Jgonlm32.exe 91 PID 840 wrote to memory of 2104 840 Jgonlm32.exe 91 PID 840 wrote to memory of 2104 840 Jgonlm32.exe 91 PID 2104 wrote to memory of 324 2104 Joffnk32.exe 92 PID 2104 wrote to memory of 324 2104 Joffnk32.exe 92 PID 2104 wrote to memory of 324 2104 Joffnk32.exe 92 PID 324 wrote to memory of 244 324 Jbdbjf32.exe 93 PID 324 wrote to memory of 244 324 Jbdbjf32.exe 93 PID 324 wrote to memory of 244 324 Jbdbjf32.exe 93 PID 244 wrote to memory of 464 244 Jecofa32.exe 94 PID 244 wrote to memory of 464 244 Jecofa32.exe 94 PID 244 wrote to memory of 464 244 Jecofa32.exe 94 PID 464 wrote to memory of 3508 464 Jiokfpph.exe 95 PID 464 wrote to memory of 3508 464 Jiokfpph.exe 95 PID 464 wrote to memory of 3508 464 Jiokfpph.exe 95 PID 3508 wrote to memory of 4316 3508 Jkmgblok.exe 96 PID 3508 wrote to memory of 4316 3508 Jkmgblok.exe 96 PID 3508 wrote to memory of 4316 3508 Jkmgblok.exe 96 PID 4316 wrote to memory of 432 4316 Jnkcogno.exe 97 PID 4316 wrote to memory of 432 4316 Jnkcogno.exe 97 PID 4316 wrote to memory of 432 4316 Jnkcogno.exe 97 PID 432 wrote to memory of 3676 432 Jfbkpd32.exe 98 PID 432 wrote to memory of 3676 432 Jfbkpd32.exe 98 PID 432 wrote to memory of 3676 432 Jfbkpd32.exe 98 PID 3676 wrote to memory of 788 3676 Jiaglp32.exe 99 PID 3676 wrote to memory of 788 3676 Jiaglp32.exe 99 PID 3676 wrote to memory of 788 3676 Jiaglp32.exe 99 PID 788 wrote to memory of 3664 788 Jgdhgmep.exe 100 PID 788 wrote to memory of 3664 788 Jgdhgmep.exe 100 PID 788 wrote to memory of 3664 788 Jgdhgmep.exe 100 PID 3664 wrote to memory of 1936 3664 Jpkphjeb.exe 101 PID 3664 wrote to memory of 1936 3664 Jpkphjeb.exe 101 PID 3664 wrote to memory of 1936 3664 Jpkphjeb.exe 101 PID 1936 wrote to memory of 5072 1936 Jbileede.exe 102 PID 1936 wrote to memory of 5072 1936 Jbileede.exe 102 PID 1936 wrote to memory of 5072 1936 Jbileede.exe 102 PID 5072 wrote to memory of 1168 5072 Jehhaaci.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe"C:\Users\Admin\AppData\Local\Temp\da44b19bb0eff65a5e3e54f7a4d50952b654a44a5650783b5cd5cf0440d28a5e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Jieagojp.exeC:\Windows\system32\Jieagojp.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe25⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe26⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe28⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe30⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe32⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe33⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe34⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe35⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe36⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe37⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe38⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe39⤵PID:4344
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe40⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe41⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe42⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe43⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe45⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe46⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe47⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe48⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe51⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe52⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe54⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe55⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe56⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe57⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe59⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe60⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe61⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe62⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe63⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe65⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lfodbqfa.exeC:\Windows\system32\Lfodbqfa.exe66⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe67⤵PID:4796
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe68⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:404 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe70⤵PID:4480
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe71⤵PID:4528
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe72⤵PID:872
-
C:\Windows\SysWOW64\Medqcmki.exeC:\Windows\system32\Medqcmki.exe73⤵PID:2168
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe74⤵PID:1956
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe75⤵PID:4536
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe76⤵PID:4408
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe77⤵PID:1916
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe78⤵PID:4616
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe79⤵PID:5024
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe80⤵PID:2228
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe81⤵PID:4060
-
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe82⤵PID:3760
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe83⤵PID:740
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe84⤵PID:3556
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe85⤵PID:3192
-
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe86⤵
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe87⤵PID:4364
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe88⤵PID:3620
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe90⤵PID:4152
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe91⤵PID:2260
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe93⤵PID:1772
-
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe94⤵PID:2160
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe95⤵PID:3560
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe96⤵PID:720
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe97⤵
- Drops file in System32 directory
PID:4228 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe98⤵PID:208
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe99⤵PID:3480
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe100⤵
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe101⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe102⤵
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe103⤵PID:3392
-
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe104⤵PID:1148
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe105⤵PID:3856
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe106⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe107⤵PID:1068
-
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe108⤵PID:2760
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe109⤵PID:4464
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe110⤵PID:4512
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe111⤵PID:888
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe112⤵PID:412
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe113⤵PID:3212
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe114⤵PID:1812
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe115⤵
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe116⤵
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe117⤵PID:4076
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe118⤵PID:1840
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe119⤵PID:4208
-
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe120⤵PID:3188
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe121⤵PID:3992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-