Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 10:23
Behavioral task
behavioral1
Sample
dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe
-
Size
128KB
-
MD5
cc1377fcd3a98117a4402f9b168a3a20
-
SHA1
5fb386a62d7993db0a80cfe213006ab1a9115529
-
SHA256
dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53b
-
SHA512
c2d4732ef9d66af84c02a31e0df4b1fb5f3798301b28708a33db0b194a745eafeab70d5d5be8f3aaf24a1559dc21764b0c1d39f79c407edeac686e23ab818e2e
-
SSDEEP
3072:p3Ua0t3tDrFDHZtOgxBOXXwwfBoD6N3h8N5Gg:lUJL5tTDUZNSN57
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feimadoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imnjbhaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmpddfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahkkhnpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inidkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phneqf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphamg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hocjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nheqnpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janpnfee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhlepkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnehifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipdpbgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljleil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afceko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeffcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcoioabf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okqbac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbmdabh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgfhnhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebkge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfknmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkffi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmcki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glqkefff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieknpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbinlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndinck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoefgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlanpfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdeffgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqombb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppffec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdfgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abemep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjjjghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhaipei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqejni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifihdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoind32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjaci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ileflmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necqbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnoefagj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfcae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpofd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clijablo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofoki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnleb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdppaidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kccbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmikb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4984 Hnkhjdle.exe 3416 Hgcmbj32.exe 388 Halaloif.exe 4080 Hcjmhk32.exe 4316 Hkaeih32.exe 2300 Hnpaec32.exe 4880 Hcljmj32.exe 856 Hnbnjc32.exe 4768 Ielfgmnj.exe 1900 Igjbci32.exe 3868 Ijiopd32.exe 4936 Ibpgqa32.exe 5076 Igmoih32.exe 1732 Infhebbh.exe 4928 Iccpniqp.exe 4504 Inidkb32.exe 4524 Iecmhlhb.exe 2116 Ijpepcfj.exe 1956 Ieeimlep.exe 2776 Idhiii32.exe 428 Jaljbmkd.exe 3360 Jdjfohjg.exe 2188 Jlanpfkj.exe 2976 Janghmia.exe 1092 Jdmcdhhe.exe 1148 Jldkeeig.exe 3476 Jnbgaa32.exe 3848 Jdopjh32.exe 5052 Jeolckne.exe 4624 Jaemilci.exe 4844 Kbgfhnhi.exe 1332 Kbjbnnfg.exe 544 Kdkoef32.exe 836 Kkegbpca.exe 3332 Kejloi32.exe 372 Klddlckd.exe 1004 Lkiamp32.exe 1672 Leoejh32.exe 4528 Lklnconj.exe 4752 Lhpnlclc.exe 2972 Lbebilli.exe 1448 Llngbabj.exe 1560 Lefkkg32.exe 4960 Lcjldk32.exe 1140 Mclhjkfa.exe 1788 Mlemcq32.exe 3312 Mdpagc32.exe 1036 Mlgjhp32.exe 4460 Moefdljc.exe 676 Mlifnphl.exe 2244 Mebkge32.exe 3392 Mkocol32.exe 3952 Mahklf32.exe 4400 Nlnpio32.exe 1100 Nomlek32.exe 4236 Nheqnpjk.exe 4368 Ncjdki32.exe 4760 Nhgmcp32.exe 3168 Noaeqjpe.exe 5080 Nfknmd32.exe 2544 Nconfh32.exe 1888 Ndpjnq32.exe 3396 Nofoki32.exe 3400 Nbdkhe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Akfdcq32.exe Qdllffpo.exe File created C:\Windows\SysWOW64\Fcldac32.dll Gbhpajlj.exe File opened for modification C:\Windows\SysWOW64\Icakofel.exe Ihlgan32.exe File opened for modification C:\Windows\SysWOW64\Eedmlo32.exe Eojeodga.exe File created C:\Windows\SysWOW64\Jhmchd32.dll Jbkbkbfo.exe File created C:\Windows\SysWOW64\Eldafjjc.dll Cfcoblfb.exe File opened for modification C:\Windows\SysWOW64\Nkpbpp32.exe Ndejcemn.exe File created C:\Windows\SysWOW64\Ljdjpm32.dll Okkalnjm.exe File created C:\Windows\SysWOW64\Dmmbbodp.dll Ajjjjghg.exe File created C:\Windows\SysWOW64\Kejloi32.exe Kkegbpca.exe File opened for modification C:\Windows\SysWOW64\Ehpmbj32.exe Ebcdjc32.exe File created C:\Windows\SysWOW64\Cjbnqa32.dll Ppffec32.exe File created C:\Windows\SysWOW64\Nepgghpg.dll Ahkkhnpg.exe File created C:\Windows\SysWOW64\Gkcdfl32.exe Glpdjpbj.exe File created C:\Windows\SysWOW64\Halaloif.exe Hgcmbj32.exe File created C:\Windows\SysWOW64\Kmnlmdhd.dll Dmplkd32.exe File created C:\Windows\SysWOW64\Jfoaam32.exe Jglaepim.exe File created C:\Windows\SysWOW64\Cfljnejl.exe Cbqonf32.exe File created C:\Windows\SysWOW64\Gpgnjebd.exe Gebimmco.exe File opened for modification C:\Windows\SysWOW64\Ajjjjghg.exe Ahinbo32.exe File created C:\Windows\SysWOW64\Kfhnme32.exe Kciaqi32.exe File created C:\Windows\SysWOW64\Fkiapn32.exe Fhkecb32.exe File opened for modification C:\Windows\SysWOW64\Jokiig32.exe Jjnqap32.exe File created C:\Windows\SysWOW64\Gijcdi32.dll Gjqinamq.exe File created C:\Windows\SysWOW64\Onbiicqa.dll Oggllnkl.exe File opened for modification C:\Windows\SysWOW64\Bkjpkg32.exe Bqdlmo32.exe File created C:\Windows\SysWOW64\Ppdpcn32.dll Dilmeida.exe File created C:\Windows\SysWOW64\Okleqm32.dll Eaqdpjia.exe File created C:\Windows\SysWOW64\Gggfme32.exe Gckjlf32.exe File created C:\Windows\SysWOW64\Oaejhh32.exe Omjnhiiq.exe File created C:\Windows\SysWOW64\Fmlngh32.dll Eieplhlf.exe File created C:\Windows\SysWOW64\Aedfbe32.dll Infhebbh.exe File created C:\Windows\SysWOW64\Pleapoon.dll Jfehpg32.exe File created C:\Windows\SysWOW64\Ldnekoch.dll Cebdcmhh.exe File created C:\Windows\SysWOW64\Lelajb32.exe Khhaanop.exe File opened for modification C:\Windows\SysWOW64\Akhaipei.exe Adnilfnl.exe File created C:\Windows\SysWOW64\Fempbm32.exe Fgjpfqpi.exe File opened for modification C:\Windows\SysWOW64\Cghgpgqd.exe Canocm32.exe File opened for modification C:\Windows\SysWOW64\Flpkcbqm.exe Fefcgh32.exe File opened for modification C:\Windows\SysWOW64\Cdgolq32.exe Clpgkcdj.exe File opened for modification C:\Windows\SysWOW64\Eebgqe32.exe Ecdkdj32.exe File created C:\Windows\SysWOW64\Imiagi32.exe Ijjekn32.exe File opened for modification C:\Windows\SysWOW64\Ngemjg32.exe Necqbo32.exe File opened for modification C:\Windows\SysWOW64\Hcbpme32.exe Hdppaidl.exe File created C:\Windows\SysWOW64\Mehafq32.exe Ldhdlnli.exe File created C:\Windows\SysWOW64\Ankgpk32.exe Aecbge32.exe File created C:\Windows\SysWOW64\Dhfcae32.exe Dalkek32.exe File created C:\Windows\SysWOW64\Jgnhmn32.dll Loiong32.exe File opened for modification C:\Windows\SysWOW64\Leoejh32.exe Lkiamp32.exe File opened for modification C:\Windows\SysWOW64\Ijiopd32.exe Igjbci32.exe File opened for modification C:\Windows\SysWOW64\Jakchf32.exe Jnmglk32.exe File created C:\Windows\SysWOW64\Hfeoijbi.exe Hphfac32.exe File created C:\Windows\SysWOW64\Pgbkgmao.exe Pddokabk.exe File created C:\Windows\SysWOW64\Mhfmom32.dll Kiaqnagj.exe File created C:\Windows\SysWOW64\Ajjjjghg.exe Ahinbo32.exe File created C:\Windows\SysWOW64\Dajnol32.exe Dlmegd32.exe File opened for modification C:\Windows\SysWOW64\Jkhpogij.exe Jhjcbljf.exe File opened for modification C:\Windows\SysWOW64\Koiejemn.exe Kiomnk32.exe File created C:\Windows\SysWOW64\Qmekbhdn.dll Ndmgnkja.exe File created C:\Windows\SysWOW64\Cfcoblfb.exe Cdebfago.exe File created C:\Windows\SysWOW64\Lmpjmf32.dll Gqkajk32.exe File opened for modification C:\Windows\SysWOW64\Kceoppmo.exe Kmlgcf32.exe File created C:\Windows\SysWOW64\Bfnafolo.dll Mhhjhlqm.exe File created C:\Windows\SysWOW64\Cogadadh.dll Llpofd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1188 2488 WerFault.exe 773 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckjlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpmkhjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbqalle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjglg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndejcemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbhbeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileflmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abemep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janpnfee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfdfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoefagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnnqgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfeagefd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdodbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfknmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facjlhil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoindndf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndinck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpcdfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailabddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofhbgmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdmpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddqejni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fempbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegchl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llngbabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decmjjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkhfmdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioppho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labkempb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnknpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naokbokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaecjab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjaonij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacbpccn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclhjkfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhmqlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgloiqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgjbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmppneal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflhcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoioabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbmfhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogdfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlaoioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkcbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpplf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkjaifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfqdid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moefdljc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelajb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdnon32.dll" Ddcogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dblnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomelheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihjeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndomiddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofhbgmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkinmlnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebkge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klddlckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feimadoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmppneal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqigigj.dll" Cldjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjeckpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eljchpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gchflq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jikjmbmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll" Iecmhlhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiaqnagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foqdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqkcc32.dll" Pfbfjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niihlkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhpajlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgdahgp.dll" Pkinmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miagbi32.dll" Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghgpgqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjacac32.dll" Moeoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmekbhdn.dll" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpomem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekfnbbc.dll" Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlnphpd.dll" Focakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcldhfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilkbqmk.dll" Fgpplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankgpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocikabbg.dll" Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdiqcb32.dll" Lbgjmnno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahkkhnpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docpdpol.dll" Jakchf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqpbboeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbdoa32.dll" Hcflch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgipm32.dll" Epjhcnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naokbokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dalkek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqkajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcinkldn.dll" Hfamia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfgloiqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nconfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boljdcel.dll" Hdppaidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mejnlpai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeopnmoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfdcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gggfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limioiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedbhi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 4984 2096 dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe 89 PID 2096 wrote to memory of 4984 2096 dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe 89 PID 2096 wrote to memory of 4984 2096 dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe 89 PID 4984 wrote to memory of 3416 4984 Hnkhjdle.exe 90 PID 4984 wrote to memory of 3416 4984 Hnkhjdle.exe 90 PID 4984 wrote to memory of 3416 4984 Hnkhjdle.exe 90 PID 3416 wrote to memory of 388 3416 Hgcmbj32.exe 91 PID 3416 wrote to memory of 388 3416 Hgcmbj32.exe 91 PID 3416 wrote to memory of 388 3416 Hgcmbj32.exe 91 PID 388 wrote to memory of 4080 388 Halaloif.exe 92 PID 388 wrote to memory of 4080 388 Halaloif.exe 92 PID 388 wrote to memory of 4080 388 Halaloif.exe 92 PID 4080 wrote to memory of 4316 4080 Hcjmhk32.exe 93 PID 4080 wrote to memory of 4316 4080 Hcjmhk32.exe 93 PID 4080 wrote to memory of 4316 4080 Hcjmhk32.exe 93 PID 4316 wrote to memory of 2300 4316 Hkaeih32.exe 94 PID 4316 wrote to memory of 2300 4316 Hkaeih32.exe 94 PID 4316 wrote to memory of 2300 4316 Hkaeih32.exe 94 PID 2300 wrote to memory of 4880 2300 Hnpaec32.exe 95 PID 2300 wrote to memory of 4880 2300 Hnpaec32.exe 95 PID 2300 wrote to memory of 4880 2300 Hnpaec32.exe 95 PID 4880 wrote to memory of 856 4880 Hcljmj32.exe 96 PID 4880 wrote to memory of 856 4880 Hcljmj32.exe 96 PID 4880 wrote to memory of 856 4880 Hcljmj32.exe 96 PID 856 wrote to memory of 4768 856 Hnbnjc32.exe 97 PID 856 wrote to memory of 4768 856 Hnbnjc32.exe 97 PID 856 wrote to memory of 4768 856 Hnbnjc32.exe 97 PID 4768 wrote to memory of 1900 4768 Ielfgmnj.exe 98 PID 4768 wrote to memory of 1900 4768 Ielfgmnj.exe 98 PID 4768 wrote to memory of 1900 4768 Ielfgmnj.exe 98 PID 1900 wrote to memory of 3868 1900 Igjbci32.exe 99 PID 1900 wrote to memory of 3868 1900 Igjbci32.exe 99 PID 1900 wrote to memory of 3868 1900 Igjbci32.exe 99 PID 3868 wrote to memory of 4936 3868 Ijiopd32.exe 100 PID 3868 wrote to memory of 4936 3868 Ijiopd32.exe 100 PID 3868 wrote to memory of 4936 3868 Ijiopd32.exe 100 PID 4936 wrote to memory of 5076 4936 Ibpgqa32.exe 101 PID 4936 wrote to memory of 5076 4936 Ibpgqa32.exe 101 PID 4936 wrote to memory of 5076 4936 Ibpgqa32.exe 101 PID 5076 wrote to memory of 1732 5076 Igmoih32.exe 102 PID 5076 wrote to memory of 1732 5076 Igmoih32.exe 102 PID 5076 wrote to memory of 1732 5076 Igmoih32.exe 102 PID 1732 wrote to memory of 4928 1732 Infhebbh.exe 103 PID 1732 wrote to memory of 4928 1732 Infhebbh.exe 103 PID 1732 wrote to memory of 4928 1732 Infhebbh.exe 103 PID 4928 wrote to memory of 4504 4928 Iccpniqp.exe 104 PID 4928 wrote to memory of 4504 4928 Iccpniqp.exe 104 PID 4928 wrote to memory of 4504 4928 Iccpniqp.exe 104 PID 4504 wrote to memory of 4524 4504 Inidkb32.exe 105 PID 4504 wrote to memory of 4524 4504 Inidkb32.exe 105 PID 4504 wrote to memory of 4524 4504 Inidkb32.exe 105 PID 4524 wrote to memory of 2116 4524 Iecmhlhb.exe 106 PID 4524 wrote to memory of 2116 4524 Iecmhlhb.exe 106 PID 4524 wrote to memory of 2116 4524 Iecmhlhb.exe 106 PID 2116 wrote to memory of 1956 2116 Ijpepcfj.exe 107 PID 2116 wrote to memory of 1956 2116 Ijpepcfj.exe 107 PID 2116 wrote to memory of 1956 2116 Ijpepcfj.exe 107 PID 1956 wrote to memory of 2776 1956 Ieeimlep.exe 108 PID 1956 wrote to memory of 2776 1956 Ieeimlep.exe 108 PID 1956 wrote to memory of 2776 1956 Ieeimlep.exe 108 PID 2776 wrote to memory of 428 2776 Idhiii32.exe 109 PID 2776 wrote to memory of 428 2776 Idhiii32.exe 109 PID 2776 wrote to memory of 428 2776 Idhiii32.exe 109 PID 428 wrote to memory of 3360 428 Jaljbmkd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe"C:\Users\Admin\AppData\Local\Temp\dd128a9bc7fc93086d0808d2ead95839104ec358d7528034034fff7b44eac53bN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hnkhjdle.exeC:\Windows\system32\Hnkhjdle.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Halaloif.exeC:\Windows\system32\Halaloif.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Hnbnjc32.exeC:\Windows\system32\Hnbnjc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Ibpgqa32.exeC:\Windows\system32\Ibpgqa32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Ijpepcfj.exeC:\Windows\system32\Ijpepcfj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ieeimlep.exeC:\Windows\system32\Ieeimlep.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Jdjfohjg.exeC:\Windows\system32\Jdjfohjg.exe23⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe25⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe26⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe27⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\Jdopjh32.exeC:\Windows\system32\Jdopjh32.exe29⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe30⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe31⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Kbjbnnfg.exeC:\Windows\system32\Kbjbnnfg.exe33⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Kdkoef32.exeC:\Windows\system32\Kdkoef32.exe34⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Kkegbpca.exeC:\Windows\system32\Kkegbpca.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Kejloi32.exeC:\Windows\system32\Kejloi32.exe36⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Lkiamp32.exeC:\Windows\system32\Lkiamp32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe39⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe40⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe41⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Lbebilli.exeC:\Windows\system32\Lbebilli.exe42⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Lefkkg32.exeC:\Windows\system32\Lefkkg32.exe44⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Lcjldk32.exeC:\Windows\system32\Lcjldk32.exe45⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Mclhjkfa.exeC:\Windows\system32\Mclhjkfa.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Mlemcq32.exeC:\Windows\system32\Mlemcq32.exe47⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe48⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Mlgjhp32.exeC:\Windows\system32\Mlgjhp32.exe49⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe51⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe53⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe54⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Nlnpio32.exeC:\Windows\system32\Nlnpio32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe56⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nheqnpjk.exeC:\Windows\system32\Nheqnpjk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe58⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe59⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Noaeqjpe.exeC:\Windows\system32\Noaeqjpe.exe60⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Nconfh32.exeC:\Windows\system32\Nconfh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ndpjnq32.exeC:\Windows\system32\Ndpjnq32.exe63⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe65⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe66⤵PID:3044
-
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe67⤵PID:4816
-
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe68⤵PID:2728
-
C:\Windows\SysWOW64\Odgqopeb.exeC:\Windows\system32\Odgqopeb.exe69⤵PID:4896
-
C:\Windows\SysWOW64\Oomelheh.exeC:\Windows\system32\Oomelheh.exe70⤵
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe71⤵PID:3856
-
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe72⤵PID:4580
-
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe73⤵PID:4348
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe74⤵PID:5032
-
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe75⤵PID:2412
-
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe76⤵PID:2012
-
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe77⤵PID:3484
-
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe78⤵PID:1644
-
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe80⤵PID:4408
-
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe81⤵PID:4864
-
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4856 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe83⤵PID:812
-
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe84⤵PID:3192
-
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe85⤵PID:3508
-
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe86⤵PID:5144
-
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe87⤵PID:5188
-
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe88⤵PID:5240
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe89⤵PID:5272
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe90⤵PID:5352
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe91⤵PID:5404
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe92⤵PID:5448
-
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe93⤵PID:5496
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe94⤵PID:5540
-
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe95⤵PID:5588
-
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Windows\SysWOW64\Acdioc32.exeC:\Windows\system32\Acdioc32.exe97⤵PID:5676
-
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5720 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe99⤵PID:5764
-
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe100⤵PID:5808
-
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe101⤵PID:5848
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe102⤵PID:5892
-
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe103⤵PID:5932
-
C:\Windows\SysWOW64\Bejobk32.exeC:\Windows\system32\Bejobk32.exe104⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe105⤵PID:6012
-
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe106⤵PID:6056
-
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe107⤵PID:6100
-
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:512 -
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe109⤵PID:5184
-
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe110⤵PID:5264
-
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe111⤵
- System Location Discovery: System Language Discovery
PID:5368 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe112⤵PID:5432
-
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe113⤵PID:5504
-
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe114⤵
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe115⤵PID:5648
-
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe116⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe117⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe118⤵
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe119⤵PID:5916
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe120⤵PID:6000
-
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe121⤵PID:6076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-