Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 23:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe
-
Size
198KB
-
MD5
89dabfabc645d75b30e3b2856e5036fc
-
SHA1
bb60ea7715247f13feb2c1d7bc958eca5a51c0f0
-
SHA256
d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324
-
SHA512
34e0997d69276de49c5bf4e89398c22b7ba9657fb6aa5241e9754f84c37a4c225fc4b70aa745ccddc5c86d78e76c140f7ca26edcae24b44e802f8013be3fc39d
-
SSDEEP
3072:FElgQd4biUaRHiQ4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrCIwfE:FYVd42NHiQBOHhkym/89bKws
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihknln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhpeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnamdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbklepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpenbaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckkoiijp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplgcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eknpie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmefogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnhab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlglcfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbhkficf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efdpmenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqmjcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loodom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eojqfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceihibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcffan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pichhcnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffibob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofahn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglejofp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpmfgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bononpop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimjdijm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpicaome.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojaja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfehpgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqfdji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgmld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppkneeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dimcnojp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dalhjahe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgncdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kejecabo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcfhneoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enighf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfncgqip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqopfakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegemnbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjkmggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkbokobd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpbojjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacjne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medfjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgppje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiaoeedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidgnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdnagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aionecdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmidb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfecn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopfpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfajah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhglncgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgbod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikkba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ficeponm.exe -
Executes dropped EXE 64 IoCs
pid Process 3860 Kfeolkab.exe 2468 Kmogieho.exe 4820 Kifhnf32.exe 1448 Kpppkqep.exe 2988 Kemhcgdg.exe 1144 Ldniqolf.exe 4872 Lmfmid32.exe 224 Lfoabjih.exe 3024 Lpgfkpph.exe 1204 Lfanhj32.exe 664 Lpicaome.exe 2360 Lefkiflm.exe 4836 Llpcfp32.exe 4716 Liddodbc.exe 2888 Mghdiiam.exe 3716 Mdlebm32.exe 3836 Memajeee.exe 2960 Mdnagm32.exe 3252 Mmgfqbdd.exe 2592 Mgokihke.exe 2220 Mimgecji.exe 5096 Mdckbljo.exe 3360 Mipckchf.exe 4596 Nlnpgngj.exe 2836 Nibpqb32.exe 3144 Ndhdnk32.exe 2392 Nghmpf32.exe 432 Njgjlban.exe 864 Ndoknjpa.exe 2396 Opekckee.exe 5000 Ofbdlbcm.exe 1640 Ogbpfe32.exe 4400 Oqjeok32.exe 3048 Ofgmga32.exe 592 Ojefmpen.exe 3652 Omcbikda.exe 1560 Pjgbbp32.exe 1620 Pfncgqip.exe 740 Pqcgeiie.exe 3540 Pfppmp32.exe 1660 Pqfdji32.exe 2296 Pgplgcnp.exe 2568 Pjnicomc.exe 4628 Pddmqgmi.exe 2976 Pcgmld32.exe 4140 Pnlaimcj.exe 1608 Pqknehcn.exe 4956 Qmanji32.exe 4344 Qckfgcpo.exe 2056 Qggbhbhh.exe 1700 Qqogqg32.exe 3564 Ajhlimei.exe 4840 Ajledl32.exe 1016 Aceimbhd.exe 4196 Afcfimgg.exe 4584 Ajanplmn.exe 3684 Anmjpj32.exe 4360 Bfhodm32.exe 1472 Bnogfj32.exe 4984 Bfjljlap.exe 1536 Bmddgf32.exe 2760 Bappgeqe.exe 3000 Bgjhdo32.exe 1884 Bncqqioo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jkcdinhn.exe Jfflqg32.exe File created C:\Windows\SysWOW64\Fpnkbema.exe Fmpofjnn.exe File created C:\Windows\SysWOW64\Giokgb32.dll Albmkl32.exe File created C:\Windows\SysWOW64\Dignmf32.dll Jnmopgna.exe File created C:\Windows\SysWOW64\Fjpgnh32.dll Agojampj.exe File created C:\Windows\SysWOW64\Baknkdma.dll Gkbbkb32.exe File created C:\Windows\SysWOW64\Olfehpgh.exe Nelmlfpk.exe File created C:\Windows\SysWOW64\Bjpdcpok.dll Lnhagikp.exe File created C:\Windows\SysWOW64\Egiofglj.exe Eonjadno.exe File created C:\Windows\SysWOW64\Maphdjfd.exe Mnbkhngq.exe File created C:\Windows\SysWOW64\Mgeadmpj.dll Neiilpob.exe File created C:\Windows\SysWOW64\Lmiace32.dll Ocnobf32.exe File created C:\Windows\SysWOW64\Amgeig32.exe Agmmlm32.exe File opened for modification C:\Windows\SysWOW64\Dhmldk32.exe Dqfccn32.exe File created C:\Windows\SysWOW64\Pqcgeiie.exe Pfncgqip.exe File created C:\Windows\SysWOW64\Negkhbkh.dll Fmdafcfm.exe File created C:\Windows\SysWOW64\Anlehcmp.dll Ejconjgo.exe File opened for modification C:\Windows\SysWOW64\Djnfck32.exe Dcdnfadg.exe File created C:\Windows\SysWOW64\Cembohbh.dll Ccahjcdl.exe File created C:\Windows\SysWOW64\Kgdpjjhb.exe Kpjgmp32.exe File created C:\Windows\SysWOW64\Bookee32.dll Liddodbc.exe File opened for modification C:\Windows\SysWOW64\Oahglf32.exe Oknool32.exe File created C:\Windows\SysWOW64\Pheime32.dll Pcnifh32.exe File created C:\Windows\SysWOW64\Pbglmm32.dll Bbkeoaca.exe File created C:\Windows\SysWOW64\Kdfjhe32.exe Kknfpp32.exe File opened for modification C:\Windows\SysWOW64\Nadjec32.exe Mjjbhi32.exe File opened for modification C:\Windows\SysWOW64\Alimaeed.exe Adadphea.exe File created C:\Windows\SysWOW64\Finlmpmh.dll Mmfkdn32.exe File opened for modification C:\Windows\SysWOW64\Djlpha32.exe Dhndlf32.exe File created C:\Windows\SysWOW64\Bnogfj32.exe Bfhodm32.exe File created C:\Windows\SysWOW64\Cfaicc32.dll Bichqb32.exe File created C:\Windows\SysWOW64\Inpjionm.exe Icjelfng.exe File opened for modification C:\Windows\SysWOW64\Lneebj32.exe Lkgifn32.exe File created C:\Windows\SysWOW64\Dojgql32.exe Deeccc32.exe File created C:\Windows\SysWOW64\Lpgfkpph.exe Lfoabjih.exe File created C:\Windows\SysWOW64\Hneahglf.exe Hjiegh32.exe File created C:\Windows\SysWOW64\Acclheql.exe Ahngkm32.exe File opened for modification C:\Windows\SysWOW64\Cnhejkob.exe Coeeoo32.exe File created C:\Windows\SysWOW64\Deeccc32.exe Dbfggg32.exe File created C:\Windows\SysWOW64\Endnmggb.exe Ekfaqlho.exe File created C:\Windows\SysWOW64\Occqep32.exe Olihhfiq.exe File created C:\Windows\SysWOW64\Ijpeha32.dll Eldleb32.exe File opened for modification C:\Windows\SysWOW64\Ppblie32.exe Pjfcpo32.exe File created C:\Windows\SysWOW64\Pnjfeh32.dll Njgjlban.exe File created C:\Windows\SysWOW64\Pogpfc32.exe Pkkdfdja.exe File created C:\Windows\SysWOW64\Ancchnaj.exe Adknoi32.exe File opened for modification C:\Windows\SysWOW64\Chnigdoh.exe Cnhejkob.exe File created C:\Windows\SysWOW64\Lfleek32.dll Jliikdkd.exe File created C:\Windows\SysWOW64\Hccokgdo.exe Hpecolek.exe File created C:\Windows\SysWOW64\Lbnimeja.dll Hdicef32.exe File created C:\Windows\SysWOW64\Binclg32.dll Efjgmaqo.exe File created C:\Windows\SysWOW64\Aemlnh32.dll Mjaobjoa.exe File created C:\Windows\SysWOW64\Qgddfg32.dll Finkeo32.exe File opened for modification C:\Windows\SysWOW64\Hflhlpko.exe Hoepkbjm.exe File created C:\Windows\SysWOW64\Embmeoqf.dll Lmfmid32.exe File created C:\Windows\SysWOW64\Cmamokne.dll Kdaamfao.exe File opened for modification C:\Windows\SysWOW64\Fejeep32.exe Fbkiid32.exe File created C:\Windows\SysWOW64\Gbeloc32.exe Glkdbief.exe File opened for modification C:\Windows\SysWOW64\Onhmkoko.exe Ogndnd32.exe File opened for modification C:\Windows\SysWOW64\Ecigap32.exe Dmoodfhe.exe File created C:\Windows\SysWOW64\Ajledl32.exe Ajhlimei.exe File created C:\Windows\SysWOW64\Nhclml32.exe Naicpbjn.exe File opened for modification C:\Windows\SysWOW64\Ipnokdie.exe Iidgnjbh.exe File opened for modification C:\Windows\SysWOW64\Kjnbkflk.exe Kgofok32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8600 7448 WerFault.exe 1056 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhgjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjameb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgqeffea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefjbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbfoolj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbdbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olihhfiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgceneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffbjihi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdhaiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmljoqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchlmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaofcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfajah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhhqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afboogcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmqemni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccieeibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglcpfja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeaoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejconjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqfibg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjkpbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdchoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjoap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhncpqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajanplmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpbojjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghoeiaei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcahln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngbfeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akaclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhmkoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlflabfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokeddhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffdidcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbadcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaemmgnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efnbcdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loodom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofnoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjdbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocfmgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijldiopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkheon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqegiogh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmddgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oafigjjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlglcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ameakbqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opekckee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaiko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lagenkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoqgd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgokihke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocadpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phcojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdlchd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaemmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnjjo32.dll" Afmoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlnep32.dll" Afbhdapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbgpneic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfndap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfhibok.dll" Fgqeffea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppmaf32.dll" Jfflqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goelff32.dll" Acclheql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofhmgfl.dll" Ppeine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nioodc32.dll" Fibnfhkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjleilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdiicgnj.dll" Hccokgdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbidlg32.dll" Odelmlma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipqnmnb.dll" Glkdbief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mflbgdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndehhcq.dll" Dcedqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnoqp32.dll" Idmefogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlofac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oalpgfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieebad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klocdlnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goemklci.dll" Mfjjdbko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgoemmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgmljoqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oolgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clgibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finlmpmh.dll" Mmfkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Codndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogdqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apiloobp.dll" Fgncdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfpfflmp.dll" Klocdlnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpalq32.dll" Nhicmhem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adadphea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbmdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Finkeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faacanjb.dll" Ofohda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bimkga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdiphnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgifn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ficeponm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Codndh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiffdmbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Allpak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkmmiag.dll" Gibhlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhclml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdcjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhfkm32.dll" Dagoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfomij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaejfgdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcjbid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofcaoaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kilnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffhpheh.dll" Pgoemmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lllikdne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfnpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmmohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mapqjcbi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 3860 2980 d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe 89 PID 2980 wrote to memory of 3860 2980 d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe 89 PID 2980 wrote to memory of 3860 2980 d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe 89 PID 3860 wrote to memory of 2468 3860 Kfeolkab.exe 90 PID 3860 wrote to memory of 2468 3860 Kfeolkab.exe 90 PID 3860 wrote to memory of 2468 3860 Kfeolkab.exe 90 PID 2468 wrote to memory of 4820 2468 Kmogieho.exe 91 PID 2468 wrote to memory of 4820 2468 Kmogieho.exe 91 PID 2468 wrote to memory of 4820 2468 Kmogieho.exe 91 PID 4820 wrote to memory of 1448 4820 Kifhnf32.exe 92 PID 4820 wrote to memory of 1448 4820 Kifhnf32.exe 92 PID 4820 wrote to memory of 1448 4820 Kifhnf32.exe 92 PID 1448 wrote to memory of 2988 1448 Kpppkqep.exe 93 PID 1448 wrote to memory of 2988 1448 Kpppkqep.exe 93 PID 1448 wrote to memory of 2988 1448 Kpppkqep.exe 93 PID 2988 wrote to memory of 1144 2988 Kemhcgdg.exe 94 PID 2988 wrote to memory of 1144 2988 Kemhcgdg.exe 94 PID 2988 wrote to memory of 1144 2988 Kemhcgdg.exe 94 PID 1144 wrote to memory of 4872 1144 Ldniqolf.exe 95 PID 1144 wrote to memory of 4872 1144 Ldniqolf.exe 95 PID 1144 wrote to memory of 4872 1144 Ldniqolf.exe 95 PID 4872 wrote to memory of 224 4872 Lmfmid32.exe 96 PID 4872 wrote to memory of 224 4872 Lmfmid32.exe 96 PID 4872 wrote to memory of 224 4872 Lmfmid32.exe 96 PID 224 wrote to memory of 3024 224 Lfoabjih.exe 97 PID 224 wrote to memory of 3024 224 Lfoabjih.exe 97 PID 224 wrote to memory of 3024 224 Lfoabjih.exe 97 PID 3024 wrote to memory of 1204 3024 Lpgfkpph.exe 98 PID 3024 wrote to memory of 1204 3024 Lpgfkpph.exe 98 PID 3024 wrote to memory of 1204 3024 Lpgfkpph.exe 98 PID 1204 wrote to memory of 664 1204 Lfanhj32.exe 99 PID 1204 wrote to memory of 664 1204 Lfanhj32.exe 99 PID 1204 wrote to memory of 664 1204 Lfanhj32.exe 99 PID 664 wrote to memory of 2360 664 Lpicaome.exe 100 PID 664 wrote to memory of 2360 664 Lpicaome.exe 100 PID 664 wrote to memory of 2360 664 Lpicaome.exe 100 PID 2360 wrote to memory of 4836 2360 Lefkiflm.exe 101 PID 2360 wrote to memory of 4836 2360 Lefkiflm.exe 101 PID 2360 wrote to memory of 4836 2360 Lefkiflm.exe 101 PID 4836 wrote to memory of 4716 4836 Llpcfp32.exe 102 PID 4836 wrote to memory of 4716 4836 Llpcfp32.exe 102 PID 4836 wrote to memory of 4716 4836 Llpcfp32.exe 102 PID 4716 wrote to memory of 2888 4716 Liddodbc.exe 103 PID 4716 wrote to memory of 2888 4716 Liddodbc.exe 103 PID 4716 wrote to memory of 2888 4716 Liddodbc.exe 103 PID 2888 wrote to memory of 3716 2888 Mghdiiam.exe 104 PID 2888 wrote to memory of 3716 2888 Mghdiiam.exe 104 PID 2888 wrote to memory of 3716 2888 Mghdiiam.exe 104 PID 3716 wrote to memory of 3836 3716 Mdlebm32.exe 105 PID 3716 wrote to memory of 3836 3716 Mdlebm32.exe 105 PID 3716 wrote to memory of 3836 3716 Mdlebm32.exe 105 PID 3836 wrote to memory of 2960 3836 Memajeee.exe 106 PID 3836 wrote to memory of 2960 3836 Memajeee.exe 106 PID 3836 wrote to memory of 2960 3836 Memajeee.exe 106 PID 2960 wrote to memory of 3252 2960 Mdnagm32.exe 107 PID 2960 wrote to memory of 3252 2960 Mdnagm32.exe 107 PID 2960 wrote to memory of 3252 2960 Mdnagm32.exe 107 PID 3252 wrote to memory of 2592 3252 Mmgfqbdd.exe 108 PID 3252 wrote to memory of 2592 3252 Mmgfqbdd.exe 108 PID 3252 wrote to memory of 2592 3252 Mmgfqbdd.exe 108 PID 2592 wrote to memory of 2220 2592 Mgokihke.exe 109 PID 2592 wrote to memory of 2220 2592 Mgokihke.exe 109 PID 2592 wrote to memory of 2220 2592 Mgokihke.exe 109 PID 2220 wrote to memory of 5096 2220 Mimgecji.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe"C:\Users\Admin\AppData\Local\Temp\d8458c00cb222ca298c588e6191da8299ffc462b837e3f157757c4877d175324.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kfeolkab.exeC:\Windows\system32\Kfeolkab.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Kmogieho.exeC:\Windows\system32\Kmogieho.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Kifhnf32.exeC:\Windows\system32\Kifhnf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Kpppkqep.exeC:\Windows\system32\Kpppkqep.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Kemhcgdg.exeC:\Windows\system32\Kemhcgdg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ldniqolf.exeC:\Windows\system32\Ldniqolf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lmfmid32.exeC:\Windows\system32\Lmfmid32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Lfoabjih.exeC:\Windows\system32\Lfoabjih.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Lpgfkpph.exeC:\Windows\system32\Lpgfkpph.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Lfanhj32.exeC:\Windows\system32\Lfanhj32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Lpicaome.exeC:\Windows\system32\Lpicaome.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Lefkiflm.exeC:\Windows\system32\Lefkiflm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Llpcfp32.exeC:\Windows\system32\Llpcfp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mghdiiam.exeC:\Windows\system32\Mghdiiam.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mdlebm32.exeC:\Windows\system32\Mdlebm32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Mdnagm32.exeC:\Windows\system32\Mdnagm32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Mgokihke.exeC:\Windows\system32\Mgokihke.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mimgecji.exeC:\Windows\system32\Mimgecji.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mdckbljo.exeC:\Windows\system32\Mdckbljo.exe23⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Mipckchf.exeC:\Windows\system32\Mipckchf.exe24⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Nlnpgngj.exeC:\Windows\system32\Nlnpgngj.exe25⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Nibpqb32.exeC:\Windows\system32\Nibpqb32.exe26⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ndhdnk32.exeC:\Windows\system32\Ndhdnk32.exe27⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Nghmpf32.exeC:\Windows\system32\Nghmpf32.exe28⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Njgjlban.exeC:\Windows\system32\Njgjlban.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:432 -
C:\Windows\SysWOW64\Ndoknjpa.exeC:\Windows\system32\Ndoknjpa.exe30⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Opekckee.exeC:\Windows\system32\Opekckee.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Ofbdlbcm.exeC:\Windows\system32\Ofbdlbcm.exe32⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ogbpfe32.exeC:\Windows\system32\Ogbpfe32.exe33⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Oqjeok32.exeC:\Windows\system32\Oqjeok32.exe34⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Ofgmga32.exeC:\Windows\system32\Ofgmga32.exe35⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ojefmpen.exeC:\Windows\system32\Ojefmpen.exe36⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Omcbikda.exeC:\Windows\system32\Omcbikda.exe37⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Pjgbbp32.exeC:\Windows\system32\Pjgbbp32.exe38⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Pfncgqip.exeC:\Windows\system32\Pfncgqip.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe40⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Pfppmp32.exeC:\Windows\system32\Pfppmp32.exe41⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Pqfdji32.exeC:\Windows\system32\Pqfdji32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Pgplgcnp.exeC:\Windows\system32\Pgplgcnp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Pjnicomc.exeC:\Windows\system32\Pjnicomc.exe44⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Pddmqgmi.exeC:\Windows\system32\Pddmqgmi.exe45⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pcgmld32.exeC:\Windows\system32\Pcgmld32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pnlaimcj.exeC:\Windows\system32\Pnlaimcj.exe47⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Pqknehcn.exeC:\Windows\system32\Pqknehcn.exe48⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Qmanji32.exeC:\Windows\system32\Qmanji32.exe49⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe50⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Qggbhbhh.exeC:\Windows\system32\Qggbhbhh.exe51⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qqogqg32.exeC:\Windows\system32\Qqogqg32.exe52⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ajhlimei.exeC:\Windows\system32\Ajhlimei.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3564 -
C:\Windows\SysWOW64\Ajledl32.exeC:\Windows\system32\Ajledl32.exe54⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Aceimbhd.exeC:\Windows\system32\Aceimbhd.exe55⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe56⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Ajanplmn.exeC:\Windows\system32\Ajanplmn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe58⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Bfhodm32.exeC:\Windows\system32\Bfhodm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe60⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Bfjljlap.exeC:\Windows\system32\Bfjljlap.exe61⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Bmddgf32.exeC:\Windows\system32\Bmddgf32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Bappgeqe.exeC:\Windows\system32\Bappgeqe.exe63⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Bgjhdo32.exeC:\Windows\system32\Bgjhdo32.exe64⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bncqqioo.exeC:\Windows\system32\Bncqqioo.exe65⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Benincgl.exeC:\Windows\system32\Benincgl.exe66⤵PID:1028
-
C:\Windows\SysWOW64\Bglejofp.exeC:\Windows\system32\Bglejofp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Bmimbfdg.exeC:\Windows\system32\Bmimbfdg.exe68⤵PID:1036
-
C:\Windows\SysWOW64\Bccfop32.exeC:\Windows\system32\Bccfop32.exe69⤵PID:1240
-
C:\Windows\SysWOW64\Bagfhd32.exeC:\Windows\system32\Bagfhd32.exe70⤵PID:4404
-
C:\Windows\SysWOW64\Cebbhc32.exeC:\Windows\system32\Cebbhc32.exe71⤵PID:1984
-
C:\Windows\SysWOW64\Ccebdpia.exeC:\Windows\system32\Ccebdpia.exe72⤵PID:3640
-
C:\Windows\SysWOW64\Cfcopkie.exeC:\Windows\system32\Cfcopkie.exe73⤵PID:4004
-
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe74⤵PID:5124
-
C:\Windows\SysWOW64\Cdgojogo.exeC:\Windows\system32\Cdgojogo.exe75⤵PID:5164
-
C:\Windows\SysWOW64\Chckjn32.exeC:\Windows\system32\Chckjn32.exe76⤵PID:5208
-
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe77⤵PID:5260
-
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe78⤵PID:5300
-
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe79⤵PID:5380
-
C:\Windows\SysWOW64\Ceihibmo.exeC:\Windows\system32\Ceihibmo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Cfjeaj32.exeC:\Windows\system32\Cfjeaj32.exe81⤵
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Capinc32.exeC:\Windows\system32\Capinc32.exe82⤵PID:5504
-
C:\Windows\SysWOW64\Cdoejn32.exeC:\Windows\system32\Cdoejn32.exe83⤵PID:5548
-
C:\Windows\SysWOW64\Dabfdbpp.exeC:\Windows\system32\Dabfdbpp.exe84⤵PID:5592
-
C:\Windows\SysWOW64\Dmific32.exeC:\Windows\system32\Dmific32.exe85⤵PID:5640
-
C:\Windows\SysWOW64\Depnja32.exeC:\Windows\system32\Depnja32.exe86⤵PID:5676
-
C:\Windows\SysWOW64\Dagoob32.exeC:\Windows\system32\Dagoob32.exe87⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Dfdggi32.exeC:\Windows\system32\Dfdggi32.exe88⤵PID:5780
-
C:\Windows\SysWOW64\Ddhhqm32.exeC:\Windows\system32\Ddhhqm32.exe89⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\Dhcdalae.exeC:\Windows\system32\Dhcdalae.exe90⤵PID:5868
-
C:\Windows\SysWOW64\Dalhjahe.exeC:\Windows\system32\Dalhjahe.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5912 -
C:\Windows\SysWOW64\Ddjefmgi.exeC:\Windows\system32\Ddjefmgi.exe92⤵PID:5956
-
C:\Windows\SysWOW64\Edmallef.exeC:\Windows\system32\Edmallef.exe93⤵PID:6000
-
C:\Windows\SysWOW64\Egmjmg32.exeC:\Windows\system32\Egmjmg32.exe94⤵PID:6048
-
C:\Windows\SysWOW64\Edcglkoo.exeC:\Windows\system32\Edcglkoo.exe95⤵PID:6092
-
C:\Windows\SysWOW64\Eknpie32.exeC:\Windows\system32\Eknpie32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Emllea32.exeC:\Windows\system32\Emllea32.exe97⤵PID:536
-
C:\Windows\SysWOW64\Fdhagk32.exeC:\Windows\system32\Fdhagk32.exe98⤵PID:5196
-
C:\Windows\SysWOW64\Foneec32.exeC:\Windows\system32\Foneec32.exe99⤵PID:5292
-
C:\Windows\SysWOW64\Falaao32.exeC:\Windows\system32\Falaao32.exe100⤵PID:5408
-
C:\Windows\SysWOW64\Fdknmj32.exeC:\Windows\system32\Fdknmj32.exe101⤵PID:5480
-
C:\Windows\SysWOW64\Fncbfppg.exeC:\Windows\system32\Fncbfppg.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Fdmjbj32.exeC:\Windows\system32\Fdmjbj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\Fkgbod32.exeC:\Windows\system32\Fkgbod32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Felgmm32.exeC:\Windows\system32\Felgmm32.exe105⤵PID:5768
-
C:\Windows\SysWOW64\Fgncdede.exeC:\Windows\system32\Fgncdede.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Fkioed32.exeC:\Windows\system32\Fkioed32.exe107⤵PID:5908
-
C:\Windows\SysWOW64\Foekebeg.exeC:\Windows\system32\Foekebeg.exe108⤵PID:5992
-
C:\Windows\SysWOW64\Fgppje32.exeC:\Windows\system32\Fgppje32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6040 -
C:\Windows\SysWOW64\Goghkb32.exeC:\Windows\system32\Goghkb32.exe110⤵PID:6104
-
C:\Windows\SysWOW64\Geaphlja.exeC:\Windows\system32\Geaphlja.exe111⤵PID:5132
-
C:\Windows\SysWOW64\Ggbmod32.exeC:\Windows\system32\Ggbmod32.exe112⤵PID:5236
-
C:\Windows\SysWOW64\Gahamm32.exeC:\Windows\system32\Gahamm32.exe113⤵PID:5364
-
C:\Windows\SysWOW64\Ggeied32.exeC:\Windows\system32\Ggeied32.exe114⤵PID:5532
-
C:\Windows\SysWOW64\Golafaoo.exeC:\Windows\system32\Golafaoo.exe115⤵PID:5624
-
C:\Windows\SysWOW64\Gefjbl32.exeC:\Windows\system32\Gefjbl32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\SysWOW64\Gdijnhmf.exeC:\Windows\system32\Gdijnhmf.exe117⤵PID:5888
-
C:\Windows\SysWOW64\Gkbbkb32.exeC:\Windows\system32\Gkbbkb32.exe118⤵
- Drops file in System32 directory
PID:6060 -
C:\Windows\SysWOW64\Gonnlaml.exeC:\Windows\system32\Gonnlaml.exe119⤵PID:2120
-
C:\Windows\SysWOW64\Gkeoqb32.exeC:\Windows\system32\Gkeoqb32.exe120⤵PID:5284
-
C:\Windows\SysWOW64\Gfjcnkbf.exeC:\Windows\system32\Gfjcnkbf.exe121⤵PID:5492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-