Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe
-
Size
59KB
-
MD5
5d3857893376ca674ca46ce62b6a37f0
-
SHA1
b251985c25d5a0fb6344320bb83e75e11a983c8e
-
SHA256
a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfc
-
SHA512
6289f2f14f155b4c2af27b51111bae30d3dab02ffd904d9c732db79dc8013cd5679f8d8ad067cc9b3dfcfadb8cf0601a283235de3c238ef28b8ca648e0babcf7
-
SSDEEP
768:4nI/Vtnaxwrm/5T4ybk3UxmOQZwmBNffOhTxoBRfoqZ/1H5765nf1fZMEBFELvkH:4nI/ramrA4EcPZ1NOhT/AxGNCyVso
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnmjomlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicqja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhbhapha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Focakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golcak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmldo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnhjig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkflpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeffcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foakpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbonm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcqacfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhofnpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbhapha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgndoho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqabib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpijfgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcealh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdiamnpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deqqek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpflfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafpiehg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himgjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfclcpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfiagd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlhgpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpckjlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdokmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngfli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbihj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjglg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpofd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmjhfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnamofdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcmpepm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldkeeig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deagoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmffnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpnepk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbijinfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfdaigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngnppfgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdphnmjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiabq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpeghpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Focakm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknkkmmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccokj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnlpcel.exe -
Executes dropped EXE 64 IoCs
pid Process 664 Ddhomdje.exe 4560 Dkbgjo32.exe 3696 Dalofi32.exe 2260 Dkedonpo.exe 3804 Daollh32.exe 216 Egkddo32.exe 4064 Enemaimp.exe 2624 Ecbeip32.exe 3008 Egnajocq.exe 4328 Eaceghcg.exe 1824 Ecdbop32.exe 756 Ejojljqa.exe 752 Eddnic32.exe 4608 Ekngemhd.exe 820 Eahobg32.exe 3404 Ecikjoep.exe 232 Ejccgi32.exe 60 Fclhpo32.exe 4044 Fnalmh32.exe 3628 Fgiaemic.exe 2496 Fkemfl32.exe 1596 Fboecfii.exe 3548 Fcpakn32.exe 4888 Fglnkm32.exe 1516 Fqdbdbna.exe 5076 Fgnjqm32.exe 2064 Fdbkja32.exe 4120 Fgqgfl32.exe 4380 Fbfkceca.exe 3884 Gnmlhf32.exe 2124 Gqnejaff.exe 5068 Gqpapacd.exe 4884 Gndbie32.exe 444 Gcqjal32.exe 1136 Gkhbbi32.exe 3608 Hccggl32.exe 980 Hcedmkmp.exe 720 Hkmlnimb.exe 1356 Hchqbkkm.exe 4156 Hnmeodjc.exe 1604 Hkaeih32.exe 1568 Hghfnioq.exe 3788 Ibnjkbog.exe 4176 Ielfgmnj.exe 1616 Ijiopd32.exe 1760 Iabglnco.exe 1580 Icachjbb.exe 3844 Infhebbh.exe 4028 Iholohii.exe 2692 Ibdplaho.exe 4420 Icfmci32.exe 3516 Inkaqb32.exe 540 Idhiii32.exe 4220 Jnnnfalp.exe 968 Jehfcl32.exe 2256 Jlanpfkj.exe 4180 Jejbhk32.exe 4424 Jldkeeig.exe 1484 Jbncbpqd.exe 2988 Jlfhke32.exe 3676 Jjihfbno.exe 4980 Jdalog32.exe 5048 Jjkdlall.exe 5112 Jbbmmo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jdinng32.dll Gqnejaff.exe File created C:\Windows\SysWOW64\Gcljpeah.dll Gfemmb32.exe File created C:\Windows\SysWOW64\Lfpiamoj.dll Eaqdpjia.exe File created C:\Windows\SysWOW64\Eahobg32.exe Ekngemhd.exe File opened for modification C:\Windows\SysWOW64\Homcbo32.exe Hlogfd32.exe File opened for modification C:\Windows\SysWOW64\Jldkeeig.exe Jejbhk32.exe File created C:\Windows\SysWOW64\Kclnfi32.exe Kmbfiokn.exe File opened for modification C:\Windows\SysWOW64\Aehbmk32.exe Acgfec32.exe File opened for modification C:\Windows\SysWOW64\Cgaqphgl.exe Cbdhgaid.exe File opened for modification C:\Windows\SysWOW64\Cbnknpqj.exe Cjfclcpg.exe File created C:\Windows\SysWOW64\Hqejedmp.dll Golcak32.exe File created C:\Windows\SysWOW64\Kamonn32.dll Eddnic32.exe File opened for modification C:\Windows\SysWOW64\Nncoaq32.exe Ngifef32.exe File opened for modification C:\Windows\SysWOW64\Fbjjkble.exe Fplnogmb.exe File opened for modification C:\Windows\SysWOW64\Fbggkl32.exe Flmonbbp.exe File created C:\Windows\SysWOW64\Bnkemhbc.dll Flgadake.exe File created C:\Windows\SysWOW64\Pbblinfi.dll Hafpiehg.exe File created C:\Windows\SysWOW64\Enpjkjkh.dll Jcknee32.exe File created C:\Windows\SysWOW64\Ojfbof32.dll Lflpmn32.exe File created C:\Windows\SysWOW64\Jjonchmn.dll Nooikj32.exe File opened for modification C:\Windows\SysWOW64\Pfeijqqe.exe Pokanf32.exe File opened for modification C:\Windows\SysWOW64\Gmfkjl32.exe Gjhonp32.exe File opened for modification C:\Windows\SysWOW64\Ljoboloa.exe Lcdjba32.exe File opened for modification C:\Windows\SysWOW64\Nfknmd32.exe Napameoi.exe File created C:\Windows\SysWOW64\Glbqampo.dll Oahnhncc.exe File opened for modification C:\Windows\SysWOW64\Dpglmjoj.exe Dhpdkm32.exe File opened for modification C:\Windows\SysWOW64\Mcggga32.exe Llpofd32.exe File created C:\Windows\SysWOW64\Ndlacapp.exe Nfiagd32.exe File created C:\Windows\SysWOW64\Pkholi32.exe Ocmjhfjl.exe File created C:\Windows\SysWOW64\Jfdqcf32.dll Bfhofnpp.exe File opened for modification C:\Windows\SysWOW64\Nhcbidcd.exe Najjmjkg.exe File created C:\Windows\SysWOW64\Phfhfa32.exe Opopdd32.exe File created C:\Windows\SysWOW64\Effjdd32.dll Hkaqgjme.exe File opened for modification C:\Windows\SysWOW64\Lbnggpfj.exe Kkdoje32.exe File created C:\Windows\SysWOW64\Lbqdmodg.exe Lkflpe32.exe File created C:\Windows\SysWOW64\Apjhleik.dll Dpihbjmg.exe File created C:\Windows\SysWOW64\Jjemle32.exe Jggapj32.exe File opened for modification C:\Windows\SysWOW64\Lflpmn32.exe Lbqdmodg.exe File opened for modification C:\Windows\SysWOW64\Gqmnpk32.exe Glabolja.exe File created C:\Windows\SysWOW64\Ijjnpg32.exe Icpecm32.exe File opened for modification C:\Windows\SysWOW64\Mmiealgc.exe Mfomda32.exe File opened for modification C:\Windows\SysWOW64\Dkbgjo32.exe Ddhomdje.exe File opened for modification C:\Windows\SysWOW64\Gnmlhf32.exe Fbfkceca.exe File created C:\Windows\SysWOW64\Haafdi32.dll Pmoagk32.exe File created C:\Windows\SysWOW64\Onmahojj.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Hojpbigq.exe Hhpheo32.exe File opened for modification C:\Windows\SysWOW64\Dfakcj32.exe Ddcogo32.exe File created C:\Windows\SysWOW64\Epeohn32.exe Emgblc32.exe File opened for modification C:\Windows\SysWOW64\Gckjlf32.exe Gqmnpk32.exe File opened for modification C:\Windows\SysWOW64\Ehklmd32.exe Eihlahjd.exe File created C:\Windows\SysWOW64\Khcgfo32.exe Keekjc32.exe File opened for modification C:\Windows\SysWOW64\Jjjggede.exe Jcpojk32.exe File created C:\Windows\SysWOW64\Jejbhk32.exe Jlanpfkj.exe File created C:\Windows\SysWOW64\Lpklcffg.dll Knifging.exe File opened for modification C:\Windows\SysWOW64\Cfljnejl.exe Cpbbak32.exe File opened for modification C:\Windows\SysWOW64\Cbknhqbl.exe Cjdfgc32.exe File created C:\Windows\SysWOW64\Cpqnog32.dll Haafnf32.exe File created C:\Windows\SysWOW64\Fqdbdbna.exe Fglnkm32.exe File created C:\Windows\SysWOW64\Jbhkbjdi.dll Gndbie32.exe File created C:\Windows\SysWOW64\Obcckehh.dll Ibdplaho.exe File opened for modification C:\Windows\SysWOW64\Dhpdkm32.exe Deagoa32.exe File opened for modification C:\Windows\SysWOW64\Nkdlkope.exe Npognfpo.exe File created C:\Windows\SysWOW64\Cfdefo32.dll Ihlgan32.exe File created C:\Windows\SysWOW64\Lbenho32.exe Lkkekdhe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15288 3940 WerFault.exe 858 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajfdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbmdabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhpheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqpapacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfhji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcaibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migcpneb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppffec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbkoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaodkmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpgkcdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccggl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalcik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnbekok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mapgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmcod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjlkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhobjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hligqnjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daollh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlkfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opopdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkekdhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfanflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnopbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emioab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjeckpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbdmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokpcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhlijpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbenho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljoboloa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noehac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimlgnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjpeelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckoifgmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdioc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnelpod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgkfqgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqkeajd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnnqgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghlmbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbddobla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgfod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beaohcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmnbjcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfmci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napameoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihancje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlpgibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcmfchg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iholohii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bihhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmpgpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgedjjki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfgfpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpidqbi.dll" Nncoaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhlfoodc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bampkqcn.dll" Dfqdid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laeojd32.dll" Dioiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbqiak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeihnf32.dll" Hoefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaeamb32.dll" Iholohii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kalcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhnjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmpcc32.dll" Cldjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glnnofhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojpbigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eppobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapncl32.dll" Bkcjjhgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klgqabib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loopdmpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkipi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlgjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deidjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepfhl32.dll" Fnglcqio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pncanhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqpapacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqpqlhmf.dll" Pkholi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbibenl.dll" Edlann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnclfaec.dll" Hligqnjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckjlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keghocao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkofokch.dll" Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffjnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihckfoa.dll" Onngci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfioj32.dll" Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbpolb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgnmlep.dll" Cbmlmmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfakcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjchlqh.dll" Khfdlnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdogj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deagoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okleqm32.dll" Ehklmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll" Keceoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjgfgbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akdake32.dll" Lmnlpcel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpijfgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkefphem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joobdfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll" Ecbeip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdbkja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 664 2432 a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe 89 PID 2432 wrote to memory of 664 2432 a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe 89 PID 2432 wrote to memory of 664 2432 a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe 89 PID 664 wrote to memory of 4560 664 Ddhomdje.exe 90 PID 664 wrote to memory of 4560 664 Ddhomdje.exe 90 PID 664 wrote to memory of 4560 664 Ddhomdje.exe 90 PID 4560 wrote to memory of 3696 4560 Dkbgjo32.exe 91 PID 4560 wrote to memory of 3696 4560 Dkbgjo32.exe 91 PID 4560 wrote to memory of 3696 4560 Dkbgjo32.exe 91 PID 3696 wrote to memory of 2260 3696 Dalofi32.exe 92 PID 3696 wrote to memory of 2260 3696 Dalofi32.exe 92 PID 3696 wrote to memory of 2260 3696 Dalofi32.exe 92 PID 2260 wrote to memory of 3804 2260 Dkedonpo.exe 93 PID 2260 wrote to memory of 3804 2260 Dkedonpo.exe 93 PID 2260 wrote to memory of 3804 2260 Dkedonpo.exe 93 PID 3804 wrote to memory of 216 3804 Daollh32.exe 94 PID 3804 wrote to memory of 216 3804 Daollh32.exe 94 PID 3804 wrote to memory of 216 3804 Daollh32.exe 94 PID 216 wrote to memory of 4064 216 Egkddo32.exe 95 PID 216 wrote to memory of 4064 216 Egkddo32.exe 95 PID 216 wrote to memory of 4064 216 Egkddo32.exe 95 PID 4064 wrote to memory of 2624 4064 Enemaimp.exe 96 PID 4064 wrote to memory of 2624 4064 Enemaimp.exe 96 PID 4064 wrote to memory of 2624 4064 Enemaimp.exe 96 PID 2624 wrote to memory of 3008 2624 Ecbeip32.exe 97 PID 2624 wrote to memory of 3008 2624 Ecbeip32.exe 97 PID 2624 wrote to memory of 3008 2624 Ecbeip32.exe 97 PID 3008 wrote to memory of 4328 3008 Egnajocq.exe 98 PID 3008 wrote to memory of 4328 3008 Egnajocq.exe 98 PID 3008 wrote to memory of 4328 3008 Egnajocq.exe 98 PID 4328 wrote to memory of 1824 4328 Eaceghcg.exe 99 PID 4328 wrote to memory of 1824 4328 Eaceghcg.exe 99 PID 4328 wrote to memory of 1824 4328 Eaceghcg.exe 99 PID 1824 wrote to memory of 756 1824 Ecdbop32.exe 100 PID 1824 wrote to memory of 756 1824 Ecdbop32.exe 100 PID 1824 wrote to memory of 756 1824 Ecdbop32.exe 100 PID 756 wrote to memory of 752 756 Ejojljqa.exe 101 PID 756 wrote to memory of 752 756 Ejojljqa.exe 101 PID 756 wrote to memory of 752 756 Ejojljqa.exe 101 PID 752 wrote to memory of 4608 752 Eddnic32.exe 102 PID 752 wrote to memory of 4608 752 Eddnic32.exe 102 PID 752 wrote to memory of 4608 752 Eddnic32.exe 102 PID 4608 wrote to memory of 820 4608 Ekngemhd.exe 103 PID 4608 wrote to memory of 820 4608 Ekngemhd.exe 103 PID 4608 wrote to memory of 820 4608 Ekngemhd.exe 103 PID 820 wrote to memory of 3404 820 Eahobg32.exe 104 PID 820 wrote to memory of 3404 820 Eahobg32.exe 104 PID 820 wrote to memory of 3404 820 Eahobg32.exe 104 PID 3404 wrote to memory of 232 3404 Ecikjoep.exe 105 PID 3404 wrote to memory of 232 3404 Ecikjoep.exe 105 PID 3404 wrote to memory of 232 3404 Ecikjoep.exe 105 PID 232 wrote to memory of 60 232 Ejccgi32.exe 106 PID 232 wrote to memory of 60 232 Ejccgi32.exe 106 PID 232 wrote to memory of 60 232 Ejccgi32.exe 106 PID 60 wrote to memory of 4044 60 Fclhpo32.exe 107 PID 60 wrote to memory of 4044 60 Fclhpo32.exe 107 PID 60 wrote to memory of 4044 60 Fclhpo32.exe 107 PID 4044 wrote to memory of 3628 4044 Fnalmh32.exe 108 PID 4044 wrote to memory of 3628 4044 Fnalmh32.exe 108 PID 4044 wrote to memory of 3628 4044 Fnalmh32.exe 108 PID 3628 wrote to memory of 2496 3628 Fgiaemic.exe 109 PID 3628 wrote to memory of 2496 3628 Fgiaemic.exe 109 PID 3628 wrote to memory of 2496 3628 Fgiaemic.exe 109 PID 2496 wrote to memory of 1596 2496 Fkemfl32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe"C:\Users\Admin\AppData\Local\Temp\a1f722f1add11fa3aae1bd955b474d9f557db15ddd84b8a271904d02cb354bfcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Dkedonpo.exeC:\Windows\system32\Dkedonpo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Enemaimp.exeC:\Windows\system32\Enemaimp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Fclhpo32.exeC:\Windows\system32\Fclhpo32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe23⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe24⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe26⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Fgnjqm32.exeC:\Windows\system32\Fgnjqm32.exe27⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Fgqgfl32.exeC:\Windows\system32\Fgqgfl32.exe29⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe31⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Gndbie32.exeC:\Windows\system32\Gndbie32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4884 -
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe35⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe36⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe38⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe39⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Hchqbkkm.exeC:\Windows\system32\Hchqbkkm.exe40⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe41⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Hkaeih32.exeC:\Windows\system32\Hkaeih32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Hghfnioq.exeC:\Windows\system32\Hghfnioq.exe43⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe44⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Ielfgmnj.exeC:\Windows\system32\Ielfgmnj.exe45⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe46⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe47⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Icachjbb.exeC:\Windows\system32\Icachjbb.exe48⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Infhebbh.exeC:\Windows\system32\Infhebbh.exe49⤵
- Executes dropped EXE
PID:3844 -
C:\Windows\SysWOW64\Iholohii.exeC:\Windows\system32\Iholohii.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Ibdplaho.exeC:\Windows\system32\Ibdplaho.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Icfmci32.exeC:\Windows\system32\Icfmci32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe53⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe54⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Jnnnfalp.exeC:\Windows\system32\Jnnnfalp.exe55⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe56⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4180 -
C:\Windows\SysWOW64\Jldkeeig.exeC:\Windows\system32\Jldkeeig.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Jbncbpqd.exeC:\Windows\system32\Jbncbpqd.exe60⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jlfhke32.exeC:\Windows\system32\Jlfhke32.exe61⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe62⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Jdalog32.exeC:\Windows\system32\Jdalog32.exe63⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Jjkdlall.exeC:\Windows\system32\Jjkdlall.exe64⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Jbbmmo32.exeC:\Windows\system32\Jbbmmo32.exe65⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe66⤵PID:800
-
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe67⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe68⤵PID:3620
-
C:\Windows\SysWOW64\Kajfdk32.exeC:\Windows\system32\Kajfdk32.exe69⤵
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe70⤵PID:4324
-
C:\Windows\SysWOW64\Kalcik32.exeC:\Windows\system32\Kalcik32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Khfkfedn.exeC:\Windows\system32\Khfkfedn.exe72⤵PID:4916
-
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe73⤵PID:440
-
C:\Windows\SysWOW64\Khihld32.exeC:\Windows\system32\Khihld32.exe74⤵PID:3552
-
C:\Windows\SysWOW64\Kocphojh.exeC:\Windows\system32\Kocphojh.exe75⤵PID:2860
-
C:\Windows\SysWOW64\Kemhei32.exeC:\Windows\system32\Kemhei32.exe76⤵PID:1428
-
C:\Windows\SysWOW64\Klgqabib.exeC:\Windows\system32\Klgqabib.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe78⤵PID:3408
-
C:\Windows\SysWOW64\Leoejh32.exeC:\Windows\system32\Leoejh32.exe79⤵PID:4780
-
C:\Windows\SysWOW64\Lklnconj.exeC:\Windows\system32\Lklnconj.exe80⤵PID:1372
-
C:\Windows\SysWOW64\Lddble32.exeC:\Windows\system32\Lddble32.exe81⤵PID:5096
-
C:\Windows\SysWOW64\Ledoegkm.exeC:\Windows\system32\Ledoegkm.exe82⤵PID:848
-
C:\Windows\SysWOW64\Lbhool32.exeC:\Windows\system32\Lbhool32.exe83⤵PID:1068
-
C:\Windows\SysWOW64\Loopdmpk.exeC:\Windows\system32\Loopdmpk.exe84⤵
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Lamlphoo.exeC:\Windows\system32\Lamlphoo.exe85⤵PID:5136
-
C:\Windows\SysWOW64\Mkepineo.exeC:\Windows\system32\Mkepineo.exe86⤵PID:5180
-
C:\Windows\SysWOW64\Mdnebc32.exeC:\Windows\system32\Mdnebc32.exe87⤵PID:5224
-
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe88⤵PID:5268
-
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe89⤵PID:5312
-
C:\Windows\SysWOW64\Mcabej32.exeC:\Windows\system32\Mcabej32.exe90⤵PID:5356
-
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe91⤵
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Mccokj32.exeC:\Windows\system32\Mccokj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe93⤵PID:5488
-
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe94⤵PID:5532
-
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe95⤵PID:5584
-
C:\Windows\SysWOW64\Mdghhb32.exeC:\Windows\system32\Mdghhb32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe97⤵PID:5688
-
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe98⤵PID:5724
-
C:\Windows\SysWOW64\Nomlek32.exeC:\Windows\system32\Nomlek32.exe99⤵PID:5788
-
C:\Windows\SysWOW64\Nakhaf32.exeC:\Windows\system32\Nakhaf32.exe100⤵PID:5828
-
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe101⤵PID:5912
-
C:\Windows\SysWOW64\Nlqloo32.exeC:\Windows\system32\Nlqloo32.exe102⤵PID:5960
-
C:\Windows\SysWOW64\Nooikj32.exeC:\Windows\system32\Nooikj32.exe103⤵
- Drops file in System32 directory
PID:6004 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe104⤵PID:6076
-
C:\Windows\SysWOW64\Nfiagd32.exeC:\Windows\system32\Nfiagd32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Ndlacapp.exeC:\Windows\system32\Ndlacapp.exe106⤵PID:5208
-
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe107⤵PID:5280
-
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe108⤵PID:5340
-
C:\Windows\SysWOW64\Napameoi.exeC:\Windows\system32\Napameoi.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5408 -
C:\Windows\SysWOW64\Nfknmd32.exeC:\Windows\system32\Nfknmd32.exe110⤵PID:5476
-
C:\Windows\SysWOW64\Nhjjip32.exeC:\Windows\system32\Nhjjip32.exe111⤵PID:5540
-
C:\Windows\SysWOW64\Nocbfjmc.exeC:\Windows\system32\Nocbfjmc.exe112⤵PID:5660
-
C:\Windows\SysWOW64\Nhlfoodc.exeC:\Windows\system32\Nhlfoodc.exe113⤵
- Modifies registry class
PID:5708 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe114⤵PID:5816
-
C:\Windows\SysWOW64\Oljoen32.exeC:\Windows\system32\Oljoen32.exe115⤵PID:5928
-
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe116⤵PID:6012
-
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe118⤵PID:5220
-
C:\Windows\SysWOW64\Ofijnbkb.exeC:\Windows\system32\Ofijnbkb.exe119⤵PID:5328
-
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Pkholi32.exeC:\Windows\system32\Pkholi32.exe121⤵
- Modifies registry class
PID:5572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-