Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 18:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe
-
Size
74KB
-
MD5
3a07818b6fa9b6a8ee49d329224d9b70
-
SHA1
98b30141a09661b9009c99de75fe0a7b99272eb4
-
SHA256
93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4
-
SHA512
50ff7f42930c22286d462d2a5589373f336eeec191ec90f56d447ab53f01979699f9a914abc2eaf924227f5a47c956c0d4475edde49d8a84abe512fa53ca66c1
-
SSDEEP
1536:BDe+bM56WmQ7QY1P4FbfW7uuv+BSuJRlCl4PH:BDK56WmOQY1P8K7Z+RRl+4PH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dolmodpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcoccc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjmdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfaapbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcgiefen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbefdijg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piapkbeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enhpao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkqjmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekonpckp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmhand32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eghkjdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmhijd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqofe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhpfbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnkggfkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paoollik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emmdom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Filapfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fflohaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqfpckhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppjfgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iondqhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johnamkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcaipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhand32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgcpokp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqpkla.exe -
Executes dropped EXE 64 IoCs
pid Process 2076 Nhmeapmd.exe 116 Nklbmllg.exe 2580 Nafjjf32.exe 4532 Nimbkc32.exe 3736 Nknobkje.exe 5076 Nbefdijg.exe 1664 Niooqcad.exe 3280 Nkqkhk32.exe 3092 Nbgcih32.exe 1640 Nefped32.exe 1112 Okchnk32.exe 3284 Objpoh32.exe 1968 Oidhlb32.exe 2932 Okedcjcm.exe 1788 Oaompd32.exe 2744 Oifeab32.exe 3300 Oaajed32.exe 4940 Oemefcap.exe 4140 Ooejohhq.exe 384 Obafpg32.exe 1068 Oeoblb32.exe 4736 Oiknlagg.exe 868 Olijhmgj.exe 4932 Oohgdhfn.exe 2460 Obcceg32.exe 3432 Oeaoab32.exe 924 Ohpkmn32.exe 3680 Pllgnl32.exe 4252 Pojcjh32.exe 2160 Pahpfc32.exe 4716 Phbhcmjl.exe 5016 Pakllc32.exe 4920 Pefhlaie.exe 5096 Phedhmhi.exe 4088 Pamiaboj.exe 3540 Peieba32.exe 444 Poajkgnc.exe 3904 Pkhjph32.exe 448 Pabblb32.exe 3580 Qhlkilba.exe 4324 Qkjgegae.exe 1176 Qepkbpak.exe 4376 Qljcoj32.exe 4012 Qaflgago.exe 4500 Akoqpg32.exe 4144 Aaiimadl.exe 4888 Akamff32.exe 5000 Achegd32.exe 4908 Ahenokjf.exe 5056 Akcjkfij.exe 400 Ackbmcjl.exe 4108 Ahgjejhd.exe 4072 Aoabad32.exe 2380 Afkknogn.exe 3264 Abbkcpma.exe 2972 Bfngdn32.exe 1836 Boflmdkk.exe 664 Bcahmb32.exe 4800 Bjlpjm32.exe 1224 Bkmmaeap.exe 2072 Bfbaonae.exe 3008 Bhamkipi.exe 748 Bokehc32.exe 3572 Bcfahbpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dokmlmhl.dll Hpofii32.exe File created C:\Windows\SysWOW64\Kldbpfio.dll Emoadlfo.exe File opened for modification C:\Windows\SysWOW64\Jofalmmp.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Falmlm32.dll Jeocna32.exe File opened for modification C:\Windows\SysWOW64\Flqdlnde.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Jcikgacl.exe Jlobkg32.exe File opened for modification C:\Windows\SysWOW64\Ldgccb32.exe Ljaoeini.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Efpomccg.exe File opened for modification C:\Windows\SysWOW64\Hahokfag.exe Hnibokbd.exe File created C:\Windows\SysWOW64\Ghoqak32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Aphblj32.dll Blnoga32.exe File created C:\Windows\SysWOW64\Jhglpo32.dll Ckeimm32.exe File created C:\Windows\SysWOW64\Akcaoeoo.dll Enkdaepb.exe File opened for modification C:\Windows\SysWOW64\Kgiiiidd.exe Koaagkcb.exe File opened for modification C:\Windows\SysWOW64\Ockdmmoj.exe Oifppdpd.exe File created C:\Windows\SysWOW64\Leboon32.dll Koajmepf.exe File opened for modification C:\Windows\SysWOW64\Mhanngbl.exe Mfbaalbi.exe File created C:\Windows\SysWOW64\Abbkcpma.exe Afkknogn.exe File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe Kjccdkki.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dooaoj32.exe File opened for modification C:\Windows\SysWOW64\Dmennnni.exe Dijbno32.exe File created C:\Windows\SysWOW64\Hikemehi.dll Cggimh32.exe File opened for modification C:\Windows\SysWOW64\Kpiqfima.exe Khbiello.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pfepdg32.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bffcpg32.exe File opened for modification C:\Windows\SysWOW64\Dmlkhofd.exe Cfbcke32.exe File created C:\Windows\SysWOW64\Okchnk32.exe Nefped32.exe File created C:\Windows\SysWOW64\Oaajed32.exe Oifeab32.exe File opened for modification C:\Windows\SysWOW64\Pamiaboj.exe Phedhmhi.exe File created C:\Windows\SysWOW64\Kadcjkfm.dll Cbbdjm32.exe File created C:\Windows\SysWOW64\Nmpgal32.dll Hdhedh32.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kkgiimng.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Bdagpnbk.exe Bmhocd32.exe File created C:\Windows\SysWOW64\Jpbhgp32.dll Edgbii32.exe File created C:\Windows\SysWOW64\Oqoefand.exe Ojemig32.exe File created C:\Windows\SysWOW64\Chjjqebm.dll Pcegclgp.exe File created C:\Windows\SysWOW64\Fmpbqoqg.dll Ciafbg32.exe File created C:\Windows\SysWOW64\Haaaidfk.dll Lgepom32.exe File created C:\Windows\SysWOW64\Ddligq32.exe Dfiildio.exe File created C:\Windows\SysWOW64\Gpnfge32.exe Gfeaopqo.exe File created C:\Windows\SysWOW64\Kngekilj.dll Ilkoim32.exe File created C:\Windows\SysWOW64\Lindkm32.exe Lafmjp32.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Coqncejg.exe File created C:\Windows\SysWOW64\Efpgoecp.dll Hkpqkcpd.exe File created C:\Windows\SysWOW64\Kkgiimng.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Mccfdmmo.exe Mminhceb.exe File created C:\Windows\SysWOW64\Ocdglf32.dll Neclenfo.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fmmmfj32.exe File created C:\Windows\SysWOW64\Oakbehfe.exe Ompfej32.exe File created C:\Windows\SysWOW64\Cjkoqgjn.dll Gfheof32.exe File opened for modification C:\Windows\SysWOW64\Hmechmip.exe Hkfglb32.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jkgpbp32.exe File opened for modification C:\Windows\SysWOW64\Kcpjnjii.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Ojidbohn.dll Ekonpckp.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Ppgomnai.exe File opened for modification C:\Windows\SysWOW64\Cobkhb32.exe Cmcolgbj.exe File opened for modification C:\Windows\SysWOW64\Idahjg32.exe Hildmn32.exe File created C:\Windows\SysWOW64\Bjdlfi32.dll Fpimlfke.exe File created C:\Windows\SysWOW64\Dbmdml32.dll Qhjmdp32.exe File opened for modification C:\Windows\SysWOW64\Mfpell32.exe Mcaipa32.exe File opened for modification C:\Windows\SysWOW64\Cjjlkk32.exe Cbbdjm32.exe File opened for modification C:\Windows\SysWOW64\Glldgljg.exe Gkkgpc32.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Ipjedh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17724 17644 WerFault.exe 982 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doojec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqllqqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmlla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafkgphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pabblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnibokbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhanngbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhijd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhldbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflkbanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipihpkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhegig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fideeaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdickcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplmliko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phigif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emmdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oflmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fbdehlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncpeaoih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqkamhk.dll" Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnnhndk.dll" Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnidao32.dll" Ilmmni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdpaeehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnadil32.dll" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Eblimcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmjkic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckgofgjn.dll" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll" Pbjddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmmfmhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiknlagg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" Qobhkjdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbkmokh.dll" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kplmliko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fllkqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjajmpkj.dll" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlmfeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll" Mfpell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nblolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomfgoah.dll" Mmbanbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Igfclkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hobipl32.dll" Oidhlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgehfkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjooo32.dll" Hoaojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhldm32.dll" Jlhljhbg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2076 2764 93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe 81 PID 2764 wrote to memory of 2076 2764 93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe 81 PID 2764 wrote to memory of 2076 2764 93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe 81 PID 2076 wrote to memory of 116 2076 Nhmeapmd.exe 82 PID 2076 wrote to memory of 116 2076 Nhmeapmd.exe 82 PID 2076 wrote to memory of 116 2076 Nhmeapmd.exe 82 PID 116 wrote to memory of 2580 116 Nklbmllg.exe 83 PID 116 wrote to memory of 2580 116 Nklbmllg.exe 83 PID 116 wrote to memory of 2580 116 Nklbmllg.exe 83 PID 2580 wrote to memory of 4532 2580 Nafjjf32.exe 84 PID 2580 wrote to memory of 4532 2580 Nafjjf32.exe 84 PID 2580 wrote to memory of 4532 2580 Nafjjf32.exe 84 PID 4532 wrote to memory of 3736 4532 Nimbkc32.exe 85 PID 4532 wrote to memory of 3736 4532 Nimbkc32.exe 85 PID 4532 wrote to memory of 3736 4532 Nimbkc32.exe 85 PID 3736 wrote to memory of 5076 3736 Nknobkje.exe 86 PID 3736 wrote to memory of 5076 3736 Nknobkje.exe 86 PID 3736 wrote to memory of 5076 3736 Nknobkje.exe 86 PID 5076 wrote to memory of 1664 5076 Nbefdijg.exe 87 PID 5076 wrote to memory of 1664 5076 Nbefdijg.exe 87 PID 5076 wrote to memory of 1664 5076 Nbefdijg.exe 87 PID 1664 wrote to memory of 3280 1664 Niooqcad.exe 88 PID 1664 wrote to memory of 3280 1664 Niooqcad.exe 88 PID 1664 wrote to memory of 3280 1664 Niooqcad.exe 88 PID 3280 wrote to memory of 3092 3280 Nkqkhk32.exe 89 PID 3280 wrote to memory of 3092 3280 Nkqkhk32.exe 89 PID 3280 wrote to memory of 3092 3280 Nkqkhk32.exe 89 PID 3092 wrote to memory of 1640 3092 Nbgcih32.exe 90 PID 3092 wrote to memory of 1640 3092 Nbgcih32.exe 90 PID 3092 wrote to memory of 1640 3092 Nbgcih32.exe 90 PID 1640 wrote to memory of 1112 1640 Nefped32.exe 91 PID 1640 wrote to memory of 1112 1640 Nefped32.exe 91 PID 1640 wrote to memory of 1112 1640 Nefped32.exe 91 PID 1112 wrote to memory of 3284 1112 Okchnk32.exe 92 PID 1112 wrote to memory of 3284 1112 Okchnk32.exe 92 PID 1112 wrote to memory of 3284 1112 Okchnk32.exe 92 PID 3284 wrote to memory of 1968 3284 Objpoh32.exe 93 PID 3284 wrote to memory of 1968 3284 Objpoh32.exe 93 PID 3284 wrote to memory of 1968 3284 Objpoh32.exe 93 PID 1968 wrote to memory of 2932 1968 Oidhlb32.exe 94 PID 1968 wrote to memory of 2932 1968 Oidhlb32.exe 94 PID 1968 wrote to memory of 2932 1968 Oidhlb32.exe 94 PID 2932 wrote to memory of 1788 2932 Okedcjcm.exe 95 PID 2932 wrote to memory of 1788 2932 Okedcjcm.exe 95 PID 2932 wrote to memory of 1788 2932 Okedcjcm.exe 95 PID 1788 wrote to memory of 2744 1788 Oaompd32.exe 96 PID 1788 wrote to memory of 2744 1788 Oaompd32.exe 96 PID 1788 wrote to memory of 2744 1788 Oaompd32.exe 96 PID 2744 wrote to memory of 3300 2744 Oifeab32.exe 97 PID 2744 wrote to memory of 3300 2744 Oifeab32.exe 97 PID 2744 wrote to memory of 3300 2744 Oifeab32.exe 97 PID 3300 wrote to memory of 4940 3300 Oaajed32.exe 98 PID 3300 wrote to memory of 4940 3300 Oaajed32.exe 98 PID 3300 wrote to memory of 4940 3300 Oaajed32.exe 98 PID 4940 wrote to memory of 4140 4940 Oemefcap.exe 99 PID 4940 wrote to memory of 4140 4940 Oemefcap.exe 99 PID 4940 wrote to memory of 4140 4940 Oemefcap.exe 99 PID 4140 wrote to memory of 384 4140 Ooejohhq.exe 100 PID 4140 wrote to memory of 384 4140 Ooejohhq.exe 100 PID 4140 wrote to memory of 384 4140 Ooejohhq.exe 100 PID 384 wrote to memory of 1068 384 Obafpg32.exe 101 PID 384 wrote to memory of 1068 384 Obafpg32.exe 101 PID 384 wrote to memory of 1068 384 Obafpg32.exe 101 PID 1068 wrote to memory of 4736 1068 Oeoblb32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe"C:\Users\Admin\AppData\Local\Temp\93e4691c745f9571d6c0a9b332da8d1f3ab9f5cf81365844fd82f148bf0406e4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe24⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe25⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe26⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe27⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe28⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe29⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe30⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe31⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe32⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe33⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe34⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe36⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe37⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe38⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe39⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe41⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe42⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe43⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe44⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe45⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe46⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe47⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe48⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe49⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe50⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe51⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe52⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe53⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe54⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe56⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe57⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe58⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe60⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe61⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe62⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe63⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe64⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe65⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe66⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe67⤵
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe68⤵PID:1396
-
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe69⤵PID:4572
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe70⤵PID:856
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe71⤵PID:3892
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe72⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe73⤵PID:3932
-
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe74⤵PID:4304
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe75⤵PID:1940
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe76⤵PID:3124
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe77⤵
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe78⤵PID:936
-
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe79⤵PID:2012
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe80⤵PID:3176
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe81⤵PID:2720
-
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe82⤵PID:5036
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe83⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe84⤵PID:3600
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe86⤵PID:532
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe87⤵PID:4848
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe88⤵PID:432
-
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3200 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe91⤵PID:3948
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe92⤵PID:3296
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe93⤵PID:4516
-
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe94⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe95⤵PID:3428
-
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe96⤵PID:4840
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe97⤵PID:3804
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe98⤵PID:4248
-
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe99⤵PID:4588
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe100⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe101⤵
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4328 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe103⤵PID:2004
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe104⤵PID:1248
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe105⤵PID:4748
-
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe107⤵PID:1508
-
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe108⤵PID:2980
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe109⤵PID:2436
-
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe110⤵PID:5156
-
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe111⤵PID:5200
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe112⤵PID:5244
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe113⤵PID:5288
-
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe114⤵PID:5332
-
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe115⤵PID:5376
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe116⤵
- System Location Discovery: System Language Discovery
PID:5420 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe118⤵PID:5512
-
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe119⤵PID:5560
-
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe120⤵PID:5604
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe121⤵
- Modifies registry class
PID:5648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-