Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 04:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe
-
Size
64KB
-
MD5
dc94d99255eb2440402c87882535d3d0
-
SHA1
7c7782b9b0605e274adbe52dcfcc6094e4bb227d
-
SHA256
433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9c
-
SHA512
e0cb9ae8d758e569a359c3c7934e34751aaa9ba7b01bac490b43d8b1cc1bd42d054566b06136b35223f1d955bb98d7fb39e8d4d3ec7bb568a1800f6e88b02c72
-
SSDEEP
768:m4rjlQMcKemWLLmgKrEE/Cs2ArHcXQT2n9l/11CAak+fC3/1H5tx6XJ1IwEGp9TY:v5emALmgrEssH72H/11CBQ4XUwXfzwv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbelhnbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jillmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnpcod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghpdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpibmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ligmeqim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdpie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfojep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpehhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekpgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjqephd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhdbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhfqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgapbfkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhimnpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceofoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkoogn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmmkhhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imilml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolgcpfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qllfio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdkcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcngb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjqcih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfiaieji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidbalfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonfla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnpema32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaihgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaildf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcmjmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbogjmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefkeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhadam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neljlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfgajlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpfdjeme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgapbfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghlbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhccknpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obqeifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobold32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjacg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmjhfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeopn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbpde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bclhbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbljaoje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbemjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okjqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjjhfai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnafm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmpjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkfdacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdgppi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoeqa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbppbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbckec32.exe -
Executes dropped EXE 64 IoCs
pid Process 1780 Nnkgbe32.exe 3988 Nmlgpmfl.exe 2976 Nnmdge32.exe 2932 Negldocg.exe 4808 Npmqah32.exe 1416 Nffinbjj.exe 1364 Nlcafiha.exe 3700 Ofiecbhg.exe 3544 Omcnplpd.exe 1020 Obpfhcnk.exe 2368 Oijnem32.exe 4352 Obbcnbli.exe 4408 Omggkklo.exe 5036 Oeclpn32.exe 696 Olmdmhpf.exe 2944 Oeehem32.exe 3408 Ppkmbffm.exe 3100 Pfdeop32.exe 2240 Plangg32.exe 3740 Pbkfdacn.exe 392 Pmajajcd.exe 4712 Ppofnebg.exe 2056 Pbnbja32.exe 4536 Pelofl32.exe 4776 Pmcggj32.exe 2676 Ppacce32.exe 544 Pbpooq32.exe 4964 Peokll32.exe 2196 Ppdpie32.exe 2428 Qfpdko32.exe 852 Qolipa32.exe 1744 Alpjiepa.exe 3024 Aonfeqoe.exe 5108 Apmboc32.exe 3152 Aldcdd32.exe 3044 Alfpjd32.exe 1588 Agldgm32.exe 4160 Aogikogj.exe 2964 Aeaahi32.exe 1516 Blkidcfd.exe 3584 Bojeaoeg.exe 1692 Bceaan32.exe 2660 Bpibkblj.exe 1584 Befjcija.exe 4528 Bnmbdfkd.exe 3368 Bpkopajg.exe 4828 Bnoojfia.exe 4224 Bclhbm32.exe 4460 Bjfpogoe.exe 212 Bpphka32.exe 848 Bemqdh32.exe 4880 Cpbeaq32.exe 968 Cglmnk32.exe 2980 Cnfejeci.exe 1904 Cohbbm32.exe 4080 Cjmfof32.exe 1688 Cllbla32.exe 1912 Ccejhkon.exe 3916 Cnkoed32.exe 2728 Cchgnk32.exe 4052 Cnmkkd32.exe 3320 Coohclcp.exe 4804 Dnphqcko.exe 2852 Dcmqijif.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lioajh32.exe Kbeimnmf.exe File created C:\Windows\SysWOW64\Pmngka32.dll Lmogef32.exe File created C:\Windows\SysWOW64\Obpake32.dll Gjnado32.exe File created C:\Windows\SysWOW64\Ododpfed.dll Apmldm32.exe File opened for modification C:\Windows\SysWOW64\Cepljjim.exe Ckkhma32.exe File opened for modification C:\Windows\SysWOW64\Opneom32.exe Onpicb32.exe File created C:\Windows\SysWOW64\Qjkdlakn.dll Caffde32.exe File opened for modification C:\Windows\SysWOW64\Jgcoia32.exe Jbffajfk.exe File created C:\Windows\SysWOW64\Bohfonlg.exe Bmjjbbmc.exe File opened for modification C:\Windows\SysWOW64\Bcfoelbm.exe Biqkgc32.exe File created C:\Windows\SysWOW64\Acikfhnf.dll Befjcija.exe File created C:\Windows\SysWOW64\Bohjjigg.dll Phggbbnj.exe File opened for modification C:\Windows\SysWOW64\Agbpcjqq.exe Acgdck32.exe File created C:\Windows\SysWOW64\Dhbkgoqp.exe Dedokcal.exe File created C:\Windows\SysWOW64\Beeleamf.dll Feqgmpil.exe File created C:\Windows\SysWOW64\Ahmacjab.dll Gobold32.exe File created C:\Windows\SysWOW64\Gapoie32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bjfpogoe.exe Bclhbm32.exe File created C:\Windows\SysWOW64\Ajiiaikm.dll Aabage32.exe File opened for modification C:\Windows\SysWOW64\Ckhkgb32.exe Capgnmei.exe File created C:\Windows\SysWOW64\Hgaknn32.dll Bmojhh32.exe File created C:\Windows\SysWOW64\Lhakko32.exe Lebooc32.exe File created C:\Windows\SysWOW64\Ebboehbh.dll Ccbghene.exe File opened for modification C:\Windows\SysWOW64\Paaafa32.exe Pnceje32.exe File created C:\Windows\SysWOW64\Meabjhpj.exe Mdpecp32.exe File opened for modification C:\Windows\SysWOW64\Gelginoo.exe Gneohqnl.exe File created C:\Windows\SysWOW64\Eanfiepk.dll Fngghpfd.exe File created C:\Windows\SysWOW64\Ecjfpbij.exe Elpnch32.exe File created C:\Windows\SysWOW64\Fcalqacb.exe Ehkhchcl.exe File opened for modification C:\Windows\SysWOW64\Ppjfhp32.exe Pgcngb32.exe File created C:\Windows\SysWOW64\Pnocil32.exe Plqfma32.exe File opened for modification C:\Windows\SysWOW64\Biqkgc32.exe Bjnklglm.exe File created C:\Windows\SysWOW64\Ongecjac.dll Ndckom32.exe File created C:\Windows\SysWOW64\Mhadam32.exe Mecgea32.exe File created C:\Windows\SysWOW64\Fijbmn32.dll Hajolbpd.exe File created C:\Windows\SysWOW64\Qcagnkdl.dll Jadkio32.exe File opened for modification C:\Windows\SysWOW64\Domjnokh.exe Dkbnmq32.exe File created C:\Windows\SysWOW64\Fjlcbfhh.dll Fdfkibap.exe File created C:\Windows\SysWOW64\Flgnmmnp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cnmkkd32.exe Cchgnk32.exe File created C:\Windows\SysWOW64\Oelcqedc.dll Bagkbdqp.exe File created C:\Windows\SysWOW64\Cfhdoe32.dll Baldnc32.exe File created C:\Windows\SysWOW64\Ecbjee32.dll Npboih32.exe File opened for modification C:\Windows\SysWOW64\Nijcbnig.exe Nbpked32.exe File created C:\Windows\SysWOW64\Khhmfn32.exe Kandiceg.exe File created C:\Windows\SysWOW64\Hcjjnk32.dll Mnnjakqc.exe File opened for modification C:\Windows\SysWOW64\Pnpbjp32.exe Pfijibnm.exe File opened for modification C:\Windows\SysWOW64\Gpfpafpb.exe Gnecin32.exe File created C:\Windows\SysWOW64\Bdafff32.dll Nqmfojep.exe File created C:\Windows\SysWOW64\Abkhqi32.exe Apmldm32.exe File created C:\Windows\SysWOW64\Jjadcp32.dll Pjemdgja.exe File created C:\Windows\SysWOW64\Ehnkbm32.exe Eadbfc32.exe File created C:\Windows\SysWOW64\Emkhdp32.dll Omggkklo.exe File opened for modification C:\Windows\SysWOW64\Bceaan32.exe Bojeaoeg.exe File opened for modification C:\Windows\SysWOW64\Dqejmn32.exe Djkbqdlm.exe File opened for modification C:\Windows\SysWOW64\Pliheg32.exe Ocqdlach.exe File created C:\Windows\SysWOW64\Ciglff32.dll Process not Found File created C:\Windows\SysWOW64\Mhecon32.dll Fofoqe32.exe File created C:\Windows\SysWOW64\Gdadjjcf.exe Gacgno32.exe File opened for modification C:\Windows\SysWOW64\Khjilm32.exe Kpcakp32.exe File created C:\Windows\SysWOW64\Aeekbeei.exe Qllfio32.exe File opened for modification C:\Windows\SysWOW64\Anjkkd32.exe Qgpcnjbc.exe File opened for modification C:\Windows\SysWOW64\Ideanb32.exe Hohifk32.exe File opened for modification C:\Windows\SysWOW64\Qnhfpk32.exe Qepage32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9604 10204 Process not Found 1159 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcbnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooehkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlnom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iibbmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnknf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhhgoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepage32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcalqacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felemf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhdqcpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgoancj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofoqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnaejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgmmlmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcgil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgpec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgkhbij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfiglpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmlbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbffajfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpogoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffibmang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmiqif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaihpgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohfonlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmiagnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhakko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdbjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdlln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmajm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdkknkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaifhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbilngfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclhbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gobold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfgmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafojogj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfohhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keaicj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdfkhfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcnhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emqdnnei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qocdmaoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdlbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhmakgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdnji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbekall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinaffng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbidbgep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnpohfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhocikhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnniga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonfeqoe.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpkaaag.dll" Ekapjhaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kepbid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohfonlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfhpe32.dll" Ikccfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbgml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkblhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgckjjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnpbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmpdjdc.dll" Cjjabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inihbc32.dll" Fgogoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfeojac.dll" Moklngal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohifk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nipedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagkbdqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfijibnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camcnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbpked32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goqiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfalkcd.dll" Iihimbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackfcdqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eebkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbackjh.dll" Gpkilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qepage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppjhhdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbjihpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqnopdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiajpojc.dll" Idamah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcoia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giqjeead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehdkhcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdjaj32.dll" Mpgfhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqbolac.dll" Hkpebdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjjbbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlgkbnkm.dll" Ehcdnmbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihimbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcocncig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqjfnhhe.dll" Djkbqdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdiljdi.dll" Hdbehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmbnhcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngeafdoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efkoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpekdnh.dll" Hhgkhbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgnfe32.dll" Ndohodbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpekolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idamah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcdmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngojfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfohb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmgn32.dll" Oijnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanfiepk.dll" Fngghpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phggbbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnnm32.dll" Bokklhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekoeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljfpmek.dll" Aiepmcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amahkehi.dll" Obbcnbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lofnlh32.dll" Alpjiepa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfooclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgcoia32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 1780 4484 433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe 89 PID 4484 wrote to memory of 1780 4484 433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe 89 PID 4484 wrote to memory of 1780 4484 433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe 89 PID 1780 wrote to memory of 3988 1780 Nnkgbe32.exe 90 PID 1780 wrote to memory of 3988 1780 Nnkgbe32.exe 90 PID 1780 wrote to memory of 3988 1780 Nnkgbe32.exe 90 PID 3988 wrote to memory of 2976 3988 Nmlgpmfl.exe 91 PID 3988 wrote to memory of 2976 3988 Nmlgpmfl.exe 91 PID 3988 wrote to memory of 2976 3988 Nmlgpmfl.exe 91 PID 2976 wrote to memory of 2932 2976 Nnmdge32.exe 92 PID 2976 wrote to memory of 2932 2976 Nnmdge32.exe 92 PID 2976 wrote to memory of 2932 2976 Nnmdge32.exe 92 PID 2932 wrote to memory of 4808 2932 Negldocg.exe 93 PID 2932 wrote to memory of 4808 2932 Negldocg.exe 93 PID 2932 wrote to memory of 4808 2932 Negldocg.exe 93 PID 4808 wrote to memory of 1416 4808 Npmqah32.exe 94 PID 4808 wrote to memory of 1416 4808 Npmqah32.exe 94 PID 4808 wrote to memory of 1416 4808 Npmqah32.exe 94 PID 1416 wrote to memory of 1364 1416 Nffinbjj.exe 95 PID 1416 wrote to memory of 1364 1416 Nffinbjj.exe 95 PID 1416 wrote to memory of 1364 1416 Nffinbjj.exe 95 PID 1364 wrote to memory of 3700 1364 Nlcafiha.exe 96 PID 1364 wrote to memory of 3700 1364 Nlcafiha.exe 96 PID 1364 wrote to memory of 3700 1364 Nlcafiha.exe 96 PID 3700 wrote to memory of 3544 3700 Ofiecbhg.exe 97 PID 3700 wrote to memory of 3544 3700 Ofiecbhg.exe 97 PID 3700 wrote to memory of 3544 3700 Ofiecbhg.exe 97 PID 3544 wrote to memory of 1020 3544 Omcnplpd.exe 98 PID 3544 wrote to memory of 1020 3544 Omcnplpd.exe 98 PID 3544 wrote to memory of 1020 3544 Omcnplpd.exe 98 PID 1020 wrote to memory of 2368 1020 Obpfhcnk.exe 99 PID 1020 wrote to memory of 2368 1020 Obpfhcnk.exe 99 PID 1020 wrote to memory of 2368 1020 Obpfhcnk.exe 99 PID 2368 wrote to memory of 4352 2368 Oijnem32.exe 100 PID 2368 wrote to memory of 4352 2368 Oijnem32.exe 100 PID 2368 wrote to memory of 4352 2368 Oijnem32.exe 100 PID 4352 wrote to memory of 4408 4352 Obbcnbli.exe 101 PID 4352 wrote to memory of 4408 4352 Obbcnbli.exe 101 PID 4352 wrote to memory of 4408 4352 Obbcnbli.exe 101 PID 4408 wrote to memory of 5036 4408 Omggkklo.exe 102 PID 4408 wrote to memory of 5036 4408 Omggkklo.exe 102 PID 4408 wrote to memory of 5036 4408 Omggkklo.exe 102 PID 5036 wrote to memory of 696 5036 Oeclpn32.exe 103 PID 5036 wrote to memory of 696 5036 Oeclpn32.exe 103 PID 5036 wrote to memory of 696 5036 Oeclpn32.exe 103 PID 696 wrote to memory of 2944 696 Olmdmhpf.exe 104 PID 696 wrote to memory of 2944 696 Olmdmhpf.exe 104 PID 696 wrote to memory of 2944 696 Olmdmhpf.exe 104 PID 2944 wrote to memory of 3408 2944 Oeehem32.exe 105 PID 2944 wrote to memory of 3408 2944 Oeehem32.exe 105 PID 2944 wrote to memory of 3408 2944 Oeehem32.exe 105 PID 3408 wrote to memory of 3100 3408 Ppkmbffm.exe 106 PID 3408 wrote to memory of 3100 3408 Ppkmbffm.exe 106 PID 3408 wrote to memory of 3100 3408 Ppkmbffm.exe 106 PID 3100 wrote to memory of 2240 3100 Pfdeop32.exe 107 PID 3100 wrote to memory of 2240 3100 Pfdeop32.exe 107 PID 3100 wrote to memory of 2240 3100 Pfdeop32.exe 107 PID 2240 wrote to memory of 3740 2240 Plangg32.exe 108 PID 2240 wrote to memory of 3740 2240 Plangg32.exe 108 PID 2240 wrote to memory of 3740 2240 Plangg32.exe 108 PID 3740 wrote to memory of 392 3740 Pbkfdacn.exe 109 PID 3740 wrote to memory of 392 3740 Pbkfdacn.exe 109 PID 3740 wrote to memory of 392 3740 Pbkfdacn.exe 109 PID 392 wrote to memory of 4712 392 Pmajajcd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe"C:\Users\Admin\AppData\Local\Temp\433d93f45cccbcd3e2da28a411199f175ad76edd11de157e3c973f11a692fb9cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Nnkgbe32.exeC:\Windows\system32\Nnkgbe32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Nmlgpmfl.exeC:\Windows\system32\Nmlgpmfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Nnmdge32.exeC:\Windows\system32\Nnmdge32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Negldocg.exeC:\Windows\system32\Negldocg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Npmqah32.exeC:\Windows\system32\Npmqah32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Nffinbjj.exeC:\Windows\system32\Nffinbjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Nlcafiha.exeC:\Windows\system32\Nlcafiha.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Ofiecbhg.exeC:\Windows\system32\Ofiecbhg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Omcnplpd.exeC:\Windows\system32\Omcnplpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Obpfhcnk.exeC:\Windows\system32\Obpfhcnk.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Oijnem32.exeC:\Windows\system32\Oijnem32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Obbcnbli.exeC:\Windows\system32\Obbcnbli.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Omggkklo.exeC:\Windows\system32\Omggkklo.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Oeclpn32.exeC:\Windows\system32\Oeclpn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Olmdmhpf.exeC:\Windows\system32\Olmdmhpf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Oeehem32.exeC:\Windows\system32\Oeehem32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ppkmbffm.exeC:\Windows\system32\Ppkmbffm.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\Pfdeop32.exeC:\Windows\system32\Pfdeop32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Plangg32.exeC:\Windows\system32\Plangg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Pbkfdacn.exeC:\Windows\system32\Pbkfdacn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Pmajajcd.exeC:\Windows\system32\Pmajajcd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Ppofnebg.exeC:\Windows\system32\Ppofnebg.exe23⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Pbnbja32.exeC:\Windows\system32\Pbnbja32.exe24⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pelofl32.exeC:\Windows\system32\Pelofl32.exe25⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Pmcggj32.exeC:\Windows\system32\Pmcggj32.exe26⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ppacce32.exeC:\Windows\system32\Ppacce32.exe27⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Pbpooq32.exeC:\Windows\system32\Pbpooq32.exe28⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Peokll32.exeC:\Windows\system32\Peokll32.exe29⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ppdpie32.exeC:\Windows\system32\Ppdpie32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Qfpdko32.exeC:\Windows\system32\Qfpdko32.exe31⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Qolipa32.exeC:\Windows\system32\Qolipa32.exe32⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Alpjiepa.exeC:\Windows\system32\Alpjiepa.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Aonfeqoe.exeC:\Windows\system32\Aonfeqoe.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Apmboc32.exeC:\Windows\system32\Apmboc32.exe35⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Aldcdd32.exeC:\Windows\system32\Aldcdd32.exe36⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe38⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Aogikogj.exeC:\Windows\system32\Aogikogj.exe39⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Aeaahi32.exeC:\Windows\system32\Aeaahi32.exe40⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Blkidcfd.exeC:\Windows\system32\Blkidcfd.exe41⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Bojeaoeg.exeC:\Windows\system32\Bojeaoeg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3584 -
C:\Windows\SysWOW64\Bceaan32.exeC:\Windows\system32\Bceaan32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Bpibkblj.exeC:\Windows\system32\Bpibkblj.exe44⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Befjcija.exeC:\Windows\system32\Befjcija.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Bnmbdfkd.exeC:\Windows\system32\Bnmbdfkd.exe46⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Bpkopajg.exeC:\Windows\system32\Bpkopajg.exe47⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Bnoojfia.exeC:\Windows\system32\Bnoojfia.exe48⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Bclhbm32.exeC:\Windows\system32\Bclhbm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Windows\SysWOW64\Bjfpogoe.exeC:\Windows\system32\Bjfpogoe.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\Bpphka32.exeC:\Windows\system32\Bpphka32.exe51⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Bemqdh32.exeC:\Windows\system32\Bemqdh32.exe52⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Cpbeaq32.exeC:\Windows\system32\Cpbeaq32.exe53⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Cglmnk32.exeC:\Windows\system32\Cglmnk32.exe54⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Cnfejeci.exeC:\Windows\system32\Cnfejeci.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Cohbbm32.exeC:\Windows\system32\Cohbbm32.exe56⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Cjmfof32.exeC:\Windows\system32\Cjmfof32.exe57⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Cllbla32.exeC:\Windows\system32\Cllbla32.exe58⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ccejhkon.exeC:\Windows\system32\Ccejhkon.exe59⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Cnkoed32.exeC:\Windows\system32\Cnkoed32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Windows\SysWOW64\Cchgnk32.exeC:\Windows\system32\Cchgnk32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Cnmkkd32.exeC:\Windows\system32\Cnmkkd32.exe62⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Coohclcp.exeC:\Windows\system32\Coohclcp.exe63⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Dnphqcko.exeC:\Windows\system32\Dnphqcko.exe64⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Dcmqijif.exeC:\Windows\system32\Dcmqijif.exe65⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Djfied32.exeC:\Windows\system32\Djfied32.exe66⤵PID:4688
-
C:\Windows\SysWOW64\Dleeap32.exeC:\Windows\system32\Dleeap32.exe67⤵PID:4488
-
C:\Windows\SysWOW64\Dcomojgc.exeC:\Windows\system32\Dcomojgc.exe68⤵PID:3528
-
C:\Windows\SysWOW64\Dndalc32.exeC:\Windows\system32\Dndalc32.exe69⤵PID:1388
-
C:\Windows\SysWOW64\Dqcnhn32.exeC:\Windows\system32\Dqcnhn32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\Djkbqdlm.exeC:\Windows\system32\Djkbqdlm.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:3992 -
C:\Windows\SysWOW64\Dqejmn32.exeC:\Windows\system32\Dqejmn32.exe72⤵PID:3616
-
C:\Windows\SysWOW64\Dfbcfe32.exeC:\Windows\system32\Dfbcfe32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4448 -
C:\Windows\SysWOW64\Dnikgbbd.exeC:\Windows\system32\Dnikgbbd.exe74⤵PID:4604
-
C:\Windows\SysWOW64\Dcfcoiak.exeC:\Windows\system32\Dcfcoiak.exe75⤵PID:4544
-
C:\Windows\SysWOW64\Ejpllc32.exeC:\Windows\system32\Ejpllc32.exe76⤵PID:4916
-
C:\Windows\SysWOW64\Enkhlbqa.exeC:\Windows\system32\Enkhlbqa.exe77⤵PID:4504
-
C:\Windows\SysWOW64\Egdleg32.exeC:\Windows\system32\Egdleg32.exe78⤵PID:4556
-
C:\Windows\SysWOW64\Emqdnnei.exeC:\Windows\system32\Emqdnnei.exe79⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Egfikgeo.exeC:\Windows\system32\Egfikgeo.exe80⤵PID:3296
-
C:\Windows\SysWOW64\Eqomcm32.exeC:\Windows\system32\Eqomcm32.exe81⤵PID:744
-
C:\Windows\SysWOW64\Efkflc32.exeC:\Windows\system32\Efkflc32.exe82⤵PID:4796
-
C:\Windows\SysWOW64\Eqajiljm.exeC:\Windows\system32\Eqajiljm.exe83⤵PID:3200
-
C:\Windows\SysWOW64\Enejbqhf.exeC:\Windows\system32\Enejbqhf.exe84⤵PID:4444
-
C:\Windows\SysWOW64\Ecackggn.exeC:\Windows\system32\Ecackggn.exe85⤵PID:3312
-
C:\Windows\SysWOW64\Ffpogcfa.exeC:\Windows\system32\Ffpogcfa.exe86⤵PID:5160
-
C:\Windows\SysWOW64\Fngghpfd.exeC:\Windows\system32\Fngghpfd.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5204 -
C:\Windows\SysWOW64\Fnidnp32.exeC:\Windows\system32\Fnidnp32.exe88⤵PID:5248
-
C:\Windows\SysWOW64\Fgbhfeka.exeC:\Windows\system32\Fgbhfeka.exe89⤵PID:5292
-
C:\Windows\SysWOW64\Ffeibb32.exeC:\Windows\system32\Ffeibb32.exe90⤵PID:5336
-
C:\Windows\SysWOW64\Fajmok32.exeC:\Windows\system32\Fajmok32.exe91⤵PID:5380
-
C:\Windows\SysWOW64\Fpmmkhhm.exeC:\Windows\system32\Fpmmkhhm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Ffgehbpj.exeC:\Windows\system32\Ffgehbpj.exe93⤵PID:5468
-
C:\Windows\SysWOW64\Fmandl32.exeC:\Windows\system32\Fmandl32.exe94⤵PID:5512
-
C:\Windows\SysWOW64\Fppjqg32.exeC:\Windows\system32\Fppjqg32.exe95⤵PID:5556
-
C:\Windows\SysWOW64\Fgfbae32.exeC:\Windows\system32\Fgfbae32.exe96⤵PID:5604
-
C:\Windows\SysWOW64\Ffibmang.exeC:\Windows\system32\Ffibmang.exe97⤵
- System Location Discovery: System Language Discovery
PID:5676 -
C:\Windows\SysWOW64\Fmcjjl32.exeC:\Windows\system32\Fmcjjl32.exe98⤵PID:5728
-
C:\Windows\SysWOW64\Fpbffg32.exeC:\Windows\system32\Fpbffg32.exe99⤵PID:5772
-
C:\Windows\SysWOW64\Gaacpj32.exeC:\Windows\system32\Gaacpj32.exe100⤵PID:5816
-
C:\Windows\SysWOW64\Gnecin32.exeC:\Windows\system32\Gnecin32.exe101⤵
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Gpfpafpb.exeC:\Windows\system32\Gpfpafpb.exe102⤵PID:5908
-
C:\Windows\SysWOW64\Gfqhnq32.exeC:\Windows\system32\Gfqhnq32.exe103⤵PID:5952
-
C:\Windows\SysWOW64\Gmjqkk32.exeC:\Windows\system32\Gmjqkk32.exe104⤵PID:5992
-
C:\Windows\SysWOW64\Ghpdhc32.exeC:\Windows\system32\Ghpdhc32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6032 -
C:\Windows\SysWOW64\Gjnado32.exeC:\Windows\system32\Gjnado32.exe106⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Gahiqieb.exeC:\Windows\system32\Gahiqieb.exe107⤵PID:6116
-
C:\Windows\SysWOW64\Gpkilf32.exeC:\Windows\system32\Gpkilf32.exe108⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Gnljjm32.exeC:\Windows\system32\Gnljjm32.exe109⤵PID:5216
-
C:\Windows\SysWOW64\Hcibbd32.exeC:\Windows\system32\Hcibbd32.exe110⤵PID:5284
-
C:\Windows\SysWOW64\Hfgnop32.exeC:\Windows\system32\Hfgnop32.exe111⤵PID:5352
-
C:\Windows\SysWOW64\Hamblh32.exeC:\Windows\system32\Hamblh32.exe112⤵PID:5416
-
C:\Windows\SysWOW64\Hhgkhbij.exeC:\Windows\system32\Hhgkhbij.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Hnacem32.exeC:\Windows\system32\Hnacem32.exe114⤵PID:5544
-
C:\Windows\SysWOW64\Hpbpme32.exeC:\Windows\system32\Hpbpme32.exe115⤵PID:5632
-
C:\Windows\SysWOW64\Hflhjona.exeC:\Windows\system32\Hflhjona.exe116⤵PID:5736
-
C:\Windows\SysWOW64\Hmfpfi32.exeC:\Windows\system32\Hmfpfi32.exe117⤵PID:5808
-
C:\Windows\SysWOW64\Hpdlbd32.exeC:\Windows\system32\Hpdlbd32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5884 -
C:\Windows\SysWOW64\Hfodooko.exeC:\Windows\system32\Hfodooko.exe119⤵PID:5960
-
C:\Windows\SysWOW64\Hnelplla.exeC:\Windows\system32\Hnelplla.exe120⤵PID:6028
-
C:\Windows\SysWOW64\Hdbehb32.exeC:\Windows\system32\Hdbehb32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-