Analysis
-
max time kernel
106s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 09:19
Behavioral task
behavioral1
Sample
15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe
-
Size
208KB
-
MD5
dd370823942f13412a3334bf225b1840
-
SHA1
6af426539b2b0bedee25d88ace5b2a50022b3d89
-
SHA256
15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fb
-
SHA512
fd3f65902481dc1dcdb9648a6f616536cfbf401c9a202a2ea05afc55fca7c17f16c46fbfb0d61b1b3da18cf06924bc01388581c2b79b6c1071ddaccc6c797ead
-
SSDEEP
3072:TFBsNbXv5HBh21XDiaw57rjrN/6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:ofpBA6xrjrNy+Eu6QnFw5+0pU8b
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noeahkfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbajbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adkgje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollnhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmoohe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopmii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pabblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdhcgaic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdoihpbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbalopbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mejpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcaofebg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoideh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfdnah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpanan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchlpfjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfgbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnkdq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofnik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdecgbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgeghp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe -
Executes dropped EXE 64 IoCs
pid Process 4664 Mplafeil.exe 4944 Mbjnbqhp.exe 4272 Mlbbkfoq.exe 764 Mblkhq32.exe 4296 Mekgdl32.exe 4404 Mhicpg32.exe 1096 Mockmala.exe 532 Mfjcnold.exe 1832 Nlglfe32.exe 380 Noehba32.exe 4300 Ngmpcn32.exe 1176 Neppokal.exe 4904 Nhnlkfpp.exe 2400 Nbcqiope.exe 1156 Ngomin32.exe 3976 Nhpiafnm.exe 1880 Npgabc32.exe 2408 Nedjjj32.exe 4824 Nlnbgddc.exe 1136 Nchjdo32.exe 2424 Neffpj32.exe 3772 Nlqomd32.exe 608 Nplkmckj.exe 2696 Oidofh32.exe 3396 Opogbbig.exe 4680 Ocmconhk.exe 3676 Oekpkigo.exe 2440 Ohjlgefb.exe 1032 Opadhb32.exe 4336 Ocopdn32.exe 2448 Ogklelna.exe 2240 Ohlimd32.exe 2124 Opcqnb32.exe 1432 Oepifi32.exe 464 Ohnebd32.exe 2136 Opemca32.exe 548 Oohnonij.exe 1012 Ogpepl32.exe 4388 Ojnblg32.exe 5008 Ollnhb32.exe 3076 Ookjdn32.exe 1532 Ocffempp.exe 4236 Pgbbek32.exe 4184 Pjpobg32.exe 3224 Phcomcng.exe 784 Ppjgoaoj.exe 3160 Pomgjn32.exe 2300 Pgdokkfg.exe 4536 Pjbkgfej.exe 3752 Phelcc32.exe 4864 Plagcbdn.exe 1352 Poodpmca.exe 4360 Pgflqkdd.exe 336 Pjehmfch.exe 2552 Plcdiabk.exe 4780 Ppopjp32.exe 2360 Pcmlfl32.exe 1644 Pflibgil.exe 1280 Pleaoa32.exe 2808 Ppamophb.exe 3620 Pcpikkge.exe 3972 Pfnegggi.exe 1428 Phlacbfm.exe 1844 Pqcjepfo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cjjcfabm.exe Ccqkigkp.exe File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Odmbaj32.exe File opened for modification C:\Windows\SysWOW64\Qmgelf32.exe Qfmmplad.exe File created C:\Windows\SysWOW64\Dcdcmh32.dll Fmpqfq32.exe File created C:\Windows\SysWOW64\Dolqpa32.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Enbjad32.exe Emanjldl.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Imiehfao.exe File opened for modification C:\Windows\SysWOW64\Hnaqgd32.exe Hhdhon32.exe File opened for modification C:\Windows\SysWOW64\Ebhglj32.exe Epikpo32.exe File created C:\Windows\SysWOW64\Bahkih32.exe Bllbaa32.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cbbnpg32.exe File created C:\Windows\SysWOW64\Knhcpa32.dll Okgaijaj.exe File created C:\Windows\SysWOW64\Fpmehf32.dll Phganm32.exe File opened for modification C:\Windows\SysWOW64\Aekddhcb.exe Aoalgn32.exe File created C:\Windows\SysWOW64\Gejopl32.exe Gblbca32.exe File opened for modification C:\Windows\SysWOW64\Bpnihiio.exe Bmomlnjk.exe File created C:\Windows\SysWOW64\Embkoi32.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Iqklon32.exe Inmpcc32.exe File opened for modification C:\Windows\SysWOW64\Nbgcih32.exe Nolgijpk.exe File created C:\Windows\SysWOW64\Fnpeoe32.dll Bbnkonbd.exe File opened for modification C:\Windows\SysWOW64\Ecgcfm32.exe Elpkep32.exe File created C:\Windows\SysWOW64\Jbklgfdh.dll Iliinc32.exe File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Gmbmkpie.exe Gjdaodja.exe File created C:\Windows\SysWOW64\Npjfngdm.dll Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pkgcea32.exe File created C:\Windows\SysWOW64\Alelqb32.exe Aekddhcb.exe File created C:\Windows\SysWOW64\Ocaikjof.dll Hjchaf32.exe File created C:\Windows\SysWOW64\Maodigil.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Oehlkc32.exe Nlphbnoe.exe File opened for modification C:\Windows\SysWOW64\Eidlnd32.exe Ecgcfm32.exe File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Mqdcnl32.exe File created C:\Windows\SysWOW64\Ojnkocdc.dll Mqdcnl32.exe File created C:\Windows\SysWOW64\Hiebgmkm.dll Qfmmplad.exe File created C:\Windows\SysWOW64\Jhijep32.dll Chnlgjlb.exe File created C:\Windows\SysWOW64\Bfhadc32.exe Bgeaifia.exe File created C:\Windows\SysWOW64\Bjfjgifo.dll Lnpofnhk.exe File created C:\Windows\SysWOW64\Ogacbllg.dll Pecellgl.exe File created C:\Windows\SysWOW64\Lfipab32.dll Eecphp32.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Gpnfge32.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Aokcklid.exe Qlmgopjq.exe File created C:\Windows\SysWOW64\Akffafgg.exe Ahgjejhd.exe File opened for modification C:\Windows\SysWOW64\Mnmdme32.exe Mgclpkac.exe File opened for modification C:\Windows\SysWOW64\Manmoq32.exe Mnpabe32.exe File opened for modification C:\Windows\SysWOW64\Oohnonij.exe Opemca32.exe File opened for modification C:\Windows\SysWOW64\Epikpo32.exe Ejlbhh32.exe File created C:\Windows\SysWOW64\Lmlnmdij.dll Gmbmkpie.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Ffclcgfn.exe Fbhpch32.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lcnmin32.exe File opened for modification C:\Windows\SysWOW64\Jcoaglhk.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Pccahbmn.exe Pmiikh32.exe File opened for modification C:\Windows\SysWOW64\Hlepcdoa.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Bhocin32.dll Qebhhp32.exe File created C:\Windows\SysWOW64\Nlbdlk32.dll Aodogdmn.exe File created C:\Windows\SysWOW64\Cjecpkcg.exe Bbnkonbd.exe File created C:\Windows\SysWOW64\Cofnik32.exe Chlflabp.exe File created C:\Windows\SysWOW64\Ogakfe32.dll Phcgcqab.exe File created C:\Windows\SysWOW64\Debbhd32.dll Embkoi32.exe File created C:\Windows\SysWOW64\Ggpbjkpl.exe Ghmbno32.exe File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Giqkkf32.exe File created C:\Windows\SysWOW64\Nqbpojnp.exe Nncccnol.exe File created C:\Windows\SysWOW64\Mioodgbj.dll Bfqkddfd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5156 3972 WerFault.exe 960 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caghhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkphnbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjcnold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnemi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphbnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodogdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fealin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbbkfoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phganm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbiamhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caienjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meamcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdcbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plagcbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmpkqqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqpbglno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkpnclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbkmijg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boipmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcqpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnkkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhecmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimqajgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boflmdkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mibime32.dll" Giqkkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oejbgd32.dll" Nlnbgddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngdja32.dll" Ohnebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meepdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccicgnco.dll" Epagkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfaemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghocf32.dll" Nolgijpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmiclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbnag32.dll" Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheihn32.dll" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll" Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnbakghm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlbcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocffempp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffpicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpqjglii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeemcfc.dll" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opemca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdglmkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdmmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabdjc32.dll" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Oaqbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boeebnhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbfakec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fipbdikp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gjdaodja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmehdam.dll" Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Licfngjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qepkbpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akffafgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oepifi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1120 wrote to memory of 4664 1120 15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe 85 PID 1120 wrote to memory of 4664 1120 15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe 85 PID 1120 wrote to memory of 4664 1120 15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe 85 PID 4664 wrote to memory of 4944 4664 Mplafeil.exe 86 PID 4664 wrote to memory of 4944 4664 Mplafeil.exe 86 PID 4664 wrote to memory of 4944 4664 Mplafeil.exe 86 PID 4944 wrote to memory of 4272 4944 Mbjnbqhp.exe 87 PID 4944 wrote to memory of 4272 4944 Mbjnbqhp.exe 87 PID 4944 wrote to memory of 4272 4944 Mbjnbqhp.exe 87 PID 4272 wrote to memory of 764 4272 Mlbbkfoq.exe 88 PID 4272 wrote to memory of 764 4272 Mlbbkfoq.exe 88 PID 4272 wrote to memory of 764 4272 Mlbbkfoq.exe 88 PID 764 wrote to memory of 4296 764 Mblkhq32.exe 89 PID 764 wrote to memory of 4296 764 Mblkhq32.exe 89 PID 764 wrote to memory of 4296 764 Mblkhq32.exe 89 PID 4296 wrote to memory of 4404 4296 Mekgdl32.exe 90 PID 4296 wrote to memory of 4404 4296 Mekgdl32.exe 90 PID 4296 wrote to memory of 4404 4296 Mekgdl32.exe 90 PID 4404 wrote to memory of 1096 4404 Mhicpg32.exe 92 PID 4404 wrote to memory of 1096 4404 Mhicpg32.exe 92 PID 4404 wrote to memory of 1096 4404 Mhicpg32.exe 92 PID 1096 wrote to memory of 532 1096 Mockmala.exe 93 PID 1096 wrote to memory of 532 1096 Mockmala.exe 93 PID 1096 wrote to memory of 532 1096 Mockmala.exe 93 PID 532 wrote to memory of 1832 532 Mfjcnold.exe 94 PID 532 wrote to memory of 1832 532 Mfjcnold.exe 94 PID 532 wrote to memory of 1832 532 Mfjcnold.exe 94 PID 1832 wrote to memory of 380 1832 Nlglfe32.exe 95 PID 1832 wrote to memory of 380 1832 Nlglfe32.exe 95 PID 1832 wrote to memory of 380 1832 Nlglfe32.exe 95 PID 380 wrote to memory of 4300 380 Noehba32.exe 96 PID 380 wrote to memory of 4300 380 Noehba32.exe 96 PID 380 wrote to memory of 4300 380 Noehba32.exe 96 PID 4300 wrote to memory of 1176 4300 Ngmpcn32.exe 97 PID 4300 wrote to memory of 1176 4300 Ngmpcn32.exe 97 PID 4300 wrote to memory of 1176 4300 Ngmpcn32.exe 97 PID 1176 wrote to memory of 4904 1176 Neppokal.exe 98 PID 1176 wrote to memory of 4904 1176 Neppokal.exe 98 PID 1176 wrote to memory of 4904 1176 Neppokal.exe 98 PID 4904 wrote to memory of 2400 4904 Nhnlkfpp.exe 100 PID 4904 wrote to memory of 2400 4904 Nhnlkfpp.exe 100 PID 4904 wrote to memory of 2400 4904 Nhnlkfpp.exe 100 PID 2400 wrote to memory of 1156 2400 Nbcqiope.exe 101 PID 2400 wrote to memory of 1156 2400 Nbcqiope.exe 101 PID 2400 wrote to memory of 1156 2400 Nbcqiope.exe 101 PID 1156 wrote to memory of 3976 1156 Ngomin32.exe 102 PID 1156 wrote to memory of 3976 1156 Ngomin32.exe 102 PID 1156 wrote to memory of 3976 1156 Ngomin32.exe 102 PID 3976 wrote to memory of 1880 3976 Nhpiafnm.exe 103 PID 3976 wrote to memory of 1880 3976 Nhpiafnm.exe 103 PID 3976 wrote to memory of 1880 3976 Nhpiafnm.exe 103 PID 1880 wrote to memory of 2408 1880 Npgabc32.exe 104 PID 1880 wrote to memory of 2408 1880 Npgabc32.exe 104 PID 1880 wrote to memory of 2408 1880 Npgabc32.exe 104 PID 2408 wrote to memory of 4824 2408 Nedjjj32.exe 105 PID 2408 wrote to memory of 4824 2408 Nedjjj32.exe 105 PID 2408 wrote to memory of 4824 2408 Nedjjj32.exe 105 PID 4824 wrote to memory of 1136 4824 Nlnbgddc.exe 106 PID 4824 wrote to memory of 1136 4824 Nlnbgddc.exe 106 PID 4824 wrote to memory of 1136 4824 Nlnbgddc.exe 106 PID 1136 wrote to memory of 2424 1136 Nchjdo32.exe 107 PID 1136 wrote to memory of 2424 1136 Nchjdo32.exe 107 PID 1136 wrote to memory of 2424 1136 Nchjdo32.exe 107 PID 2424 wrote to memory of 3772 2424 Neffpj32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe"C:\Users\Admin\AppData\Local\Temp\15e9fb4558b3010bcccafe2819df8ed048570ab949367b93f1c0f04efb0161fbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Mblkhq32.exeC:\Windows\system32\Mblkhq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe23⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe24⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe25⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe26⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe27⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe28⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe29⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe30⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe31⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe32⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe33⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe38⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe39⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe40⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe42⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe44⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe45⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe46⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe47⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Pgdokkfg.exeC:\Windows\system32\Pgdokkfg.exe49⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe50⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe51⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe53⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe54⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe55⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe57⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe58⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe59⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe61⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe63⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe64⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe65⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe66⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe67⤵PID:2792
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe68⤵PID:636
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe69⤵PID:3648
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe70⤵PID:3500
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe71⤵PID:768
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe72⤵PID:1596
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe73⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe74⤵PID:2280
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe75⤵
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe76⤵PID:5012
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3104 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe78⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe79⤵PID:2816
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe80⤵PID:1160
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe81⤵PID:4444
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe82⤵PID:4424
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe83⤵PID:1252
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe84⤵PID:3664
-
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe85⤵PID:468
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe86⤵PID:4620
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe88⤵
- System Location Discovery: System Language Discovery
PID:5180 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe89⤵
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe90⤵PID:5268
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe92⤵PID:5364
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe93⤵PID:5416
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe94⤵PID:5484
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe95⤵PID:5532
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe96⤵PID:5600
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe97⤵PID:5644
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe98⤵
- Drops file in System32 directory
PID:5692 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe99⤵PID:5756
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe100⤵PID:5832
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe102⤵PID:5948
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe103⤵PID:5996
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe104⤵
- System Location Discovery: System Language Discovery
PID:6044 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe105⤵PID:6092
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe106⤵PID:6140
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe107⤵PID:2016
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe108⤵PID:5256
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe109⤵PID:5344
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe110⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe111⤵PID:5520
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe112⤵PID:5148
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe113⤵
- Drops file in System32 directory
PID:5640 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe114⤵PID:5680
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe115⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe116⤵PID:5880
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe117⤵PID:5964
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe118⤵PID:6036
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe119⤵
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe120⤵PID:5188
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe121⤵PID:5296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-