Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe
-
Size
96KB
-
MD5
d6f39120af8c15b29a612ed8471c4300
-
SHA1
e222b803484f4d5d56df8c9712386211315df506
-
SHA256
535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bb
-
SHA512
593fa3ed12584cfdc73faac4033ee4942231481a224a98c535b9092817b47194953c17316c284a4bc88f17f4adc7d45b2bb7e47396a78f2256c14fe5aa3d353f
-
SSDEEP
3072:83DH5FQ3PxD0WdQRktiQTTEQfZEiHjnd69jc0v:8z8BjtiQTAQfZEMnd6NV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkicaahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbbhkjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgcihgaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgcbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhndpol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flkdfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnlecmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdjpmac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddifgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgoakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiphjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibegfglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpjnjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbepme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddbcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olgncmim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelchgne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anaomkdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmcdffmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Feenjgfq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioflcbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcapp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oacoqnci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclhn32.exe -
Executes dropped EXE 64 IoCs
pid Process 4228 Ocdjpmac.exe 1140 Oebflhaf.exe 3140 Ojnblg32.exe 1216 Ollnhb32.exe 2448 Phcomcng.exe 3208 Ppjgoaoj.exe 832 Pcicklnn.exe 2808 Pjbkgfej.exe 3564 Plagcbdn.exe 3844 Pckppl32.exe 1016 Phhhhc32.exe 4400 Poaqemao.exe 4992 Pgihfj32.exe 4420 Phjenbhp.exe 1932 Ppamophb.exe 836 Pjjahe32.exe 4504 Qgnbaj32.exe 3636 Qqffjo32.exe 4004 Qjnkcekm.exe 1588 Agbkmijg.exe 3816 Aqkpeopg.exe 4232 Amaqjp32.exe 1436 Ackigjmh.exe 3580 Ajeadd32.exe 3320 Acnemi32.exe 4384 Aijnep32.exe 4060 Acpbbi32.exe 4876 Ajjjocap.exe 3188 Bogcgj32.exe 1224 Bfqkddfd.exe 376 Bmkcqn32.exe 4988 Bgpgng32.exe 4808 Bmmpfn32.exe 4248 Bcghch32.exe 2104 Bjaqpbkh.exe 3404 Bmomlnjk.exe 2332 Bciehh32.exe 1728 Bifmqo32.exe 3264 Bqmeal32.exe 3328 Bggnof32.exe 1456 Bihjfnmm.exe 1936 Cpbbch32.exe 640 Ccnncgmc.exe 1188 Cikglnkj.exe 2756 Cmfclm32.exe 3576 Cglgjeci.exe 4844 Cmipblaq.exe 2708 Ccchof32.exe 1744 Cfadkb32.exe 1968 Cmklglpn.exe 4548 Cpihcgoa.exe 3400 Cjomap32.exe 3996 Cibmlmeb.exe 4000 Cgcmjd32.exe 3272 Cidjbmcp.exe 996 Dmpfbk32.exe 4424 Dcjnoece.exe 1708 Djdflp32.exe 2784 Dmbbhkjf.exe 3536 Dpqodfij.exe 4604 Diicml32.exe 2128 Dpckjfgg.exe 3080 Dcogje32.exe 704 Dfmcfp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dihlbf32.exe Dfjpfj32.exe File created C:\Windows\SysWOW64\Dpifjj32.dll Mhoahh32.exe File created C:\Windows\SysWOW64\Kollmhpg.dll Emlenj32.exe File created C:\Windows\SysWOW64\Cggimh32.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Fgcjfbed.exe Feenjgfq.exe File created C:\Windows\SysWOW64\Bpcgpihi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Akamff32.exe Ajpqnneo.exe File opened for modification C:\Windows\SysWOW64\Dcigeooj.exe Dkbocbog.exe File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe Aoioli32.exe File opened for modification C:\Windows\SysWOW64\Ddkbmj32.exe Dnajppda.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Feenjgfq.exe File opened for modification C:\Windows\SysWOW64\Boihcf32.exe Bknlbhhe.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Galoohke.exe File created C:\Windows\SysWOW64\Kgdkgc32.dll Nlnkmnah.exe File opened for modification C:\Windows\SysWOW64\Mjdebfnd.exe Mgehfkop.exe File opened for modification C:\Windows\SysWOW64\Oacoqnci.exe Ojigdcll.exe File created C:\Windows\SysWOW64\Iojmqe32.dll Cdbfab32.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Eicedn32.exe File created C:\Windows\SysWOW64\Bipecnkd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oboijgbl.exe Oldamm32.exe File created C:\Windows\SysWOW64\Ebfign32.exe Eohmkb32.exe File opened for modification C:\Windows\SysWOW64\Dhlpqc32.exe Dpehof32.exe File created C:\Windows\SysWOW64\Nhkikq32.exe Nemmoe32.exe File opened for modification C:\Windows\SysWOW64\Nbcjnilj.exe Nliaao32.exe File created C:\Windows\SysWOW64\Bpecpgjp.dll Nbcjnilj.exe File opened for modification C:\Windows\SysWOW64\Edbiniff.exe Ebdlangb.exe File opened for modification C:\Windows\SysWOW64\Mnmmboed.exe Mfeeabda.exe File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe Najceeoo.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Efepbi32.exe File created C:\Windows\SysWOW64\Oipgkfab.dll Mofmobmo.exe File opened for modification C:\Windows\SysWOW64\Bmkcqn32.exe Bfqkddfd.exe File created C:\Windows\SysWOW64\Lnangaoa.exe Lggejg32.exe File created C:\Windows\SysWOW64\Ncnofeof.exe Nqpcjj32.exe File created C:\Windows\SysWOW64\Pefabkej.exe Pmoiqneg.exe File created C:\Windows\SysWOW64\Gbemad32.dll Gmeakf32.exe File opened for modification C:\Windows\SysWOW64\Ijogmdqm.exe Igqkqiai.exe File created C:\Windows\SysWOW64\Kilpmh32.exe Keqdmihc.exe File opened for modification C:\Windows\SysWOW64\Oimkbaed.exe Oafcqcea.exe File opened for modification C:\Windows\SysWOW64\Cmmbbejp.exe Cbgnemjj.exe File opened for modification C:\Windows\SysWOW64\Pmcclm32.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Cfidbo32.dll Iomoenej.exe File created C:\Windows\SysWOW64\Cpkgohbq.dll Adcjop32.exe File created C:\Windows\SysWOW64\Dcogje32.exe Dpckjfgg.exe File created C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Gimqajgh.exe File opened for modification C:\Windows\SysWOW64\Lakfeodm.exe Lomjicei.exe File created C:\Windows\SysWOW64\Ppikbm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Flippejg.dll Qgnbaj32.exe File created C:\Windows\SysWOW64\Ohmkjd32.dll Cidjbmcp.exe File created C:\Windows\SysWOW64\Doaneiop.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Ikndgg32.exe Ihphkl32.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Jlobem32.dll Cpmapodj.exe File created C:\Windows\SysWOW64\Imkbnf32.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Dccdcfha.dll Qqffjo32.exe File created C:\Windows\SysWOW64\Hjpcoo32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Cgieglah.dll Phincl32.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Pknqoc32.exe File created C:\Windows\SysWOW64\Pjdhhc32.dll Pefabkej.exe File created C:\Windows\SysWOW64\Kmhjapnj.dll Hplbickp.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Process not Found File created C:\Windows\SysWOW64\Qcaofebg.exe Qkjgegae.exe File opened for modification C:\Windows\SysWOW64\Cbbdjm32.exe Ckilmcgb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8056 7196 Process not Found 1208 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmeede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcndeen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgmcce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbphdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oboijgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empoiimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poajkgnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgaoqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edbiniff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fndpmndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhnaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnfjehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obafpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlikkkhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmkhgho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkmmefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilibdmgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkmdkgob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbhknkl.dll" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfidbo32.dll" Iomoenej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idieem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbigf32.dll" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll" Mjokgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmjemflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anobgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glcaambb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnjojpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahdpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpqiega.dll" Mpeiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll" Mjlhgaqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhldbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikmnf32.dll" Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahceqce.dll" Gbkkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkdhjknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahdpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiacfqch.dll" Jnhidk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Madjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haodle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhkgplb.dll" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkqkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Albpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" Jlbejloe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcaihm32.dll" Mnlnbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeaanjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qiginoqd.dll" Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibmbgdm.dll" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnoab32.dll" Kelkaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iomoenej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iidphgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbbeml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmflc32.dll" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglppijc.dll" Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcagd32.dll" Mjdebfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmakeiil.dll" Nlkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhpog32.dll" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeodmbol.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 4228 3016 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 85 PID 3016 wrote to memory of 4228 3016 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 85 PID 3016 wrote to memory of 4228 3016 535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe 85 PID 4228 wrote to memory of 1140 4228 Ocdjpmac.exe 87 PID 4228 wrote to memory of 1140 4228 Ocdjpmac.exe 87 PID 4228 wrote to memory of 1140 4228 Ocdjpmac.exe 87 PID 1140 wrote to memory of 3140 1140 Oebflhaf.exe 88 PID 1140 wrote to memory of 3140 1140 Oebflhaf.exe 88 PID 1140 wrote to memory of 3140 1140 Oebflhaf.exe 88 PID 3140 wrote to memory of 1216 3140 Ojnblg32.exe 89 PID 3140 wrote to memory of 1216 3140 Ojnblg32.exe 89 PID 3140 wrote to memory of 1216 3140 Ojnblg32.exe 89 PID 1216 wrote to memory of 2448 1216 Ollnhb32.exe 90 PID 1216 wrote to memory of 2448 1216 Ollnhb32.exe 90 PID 1216 wrote to memory of 2448 1216 Ollnhb32.exe 90 PID 2448 wrote to memory of 3208 2448 Phcomcng.exe 91 PID 2448 wrote to memory of 3208 2448 Phcomcng.exe 91 PID 2448 wrote to memory of 3208 2448 Phcomcng.exe 91 PID 3208 wrote to memory of 832 3208 Ppjgoaoj.exe 92 PID 3208 wrote to memory of 832 3208 Ppjgoaoj.exe 92 PID 3208 wrote to memory of 832 3208 Ppjgoaoj.exe 92 PID 832 wrote to memory of 2808 832 Pcicklnn.exe 93 PID 832 wrote to memory of 2808 832 Pcicklnn.exe 93 PID 832 wrote to memory of 2808 832 Pcicklnn.exe 93 PID 2808 wrote to memory of 3564 2808 Pjbkgfej.exe 94 PID 2808 wrote to memory of 3564 2808 Pjbkgfej.exe 94 PID 2808 wrote to memory of 3564 2808 Pjbkgfej.exe 94 PID 3564 wrote to memory of 3844 3564 Plagcbdn.exe 95 PID 3564 wrote to memory of 3844 3564 Plagcbdn.exe 95 PID 3564 wrote to memory of 3844 3564 Plagcbdn.exe 95 PID 3844 wrote to memory of 1016 3844 Pckppl32.exe 96 PID 3844 wrote to memory of 1016 3844 Pckppl32.exe 96 PID 3844 wrote to memory of 1016 3844 Pckppl32.exe 96 PID 1016 wrote to memory of 4400 1016 Phhhhc32.exe 97 PID 1016 wrote to memory of 4400 1016 Phhhhc32.exe 97 PID 1016 wrote to memory of 4400 1016 Phhhhc32.exe 97 PID 4400 wrote to memory of 4992 4400 Poaqemao.exe 98 PID 4400 wrote to memory of 4992 4400 Poaqemao.exe 98 PID 4400 wrote to memory of 4992 4400 Poaqemao.exe 98 PID 4992 wrote to memory of 4420 4992 Pgihfj32.exe 99 PID 4992 wrote to memory of 4420 4992 Pgihfj32.exe 99 PID 4992 wrote to memory of 4420 4992 Pgihfj32.exe 99 PID 4420 wrote to memory of 1932 4420 Phjenbhp.exe 100 PID 4420 wrote to memory of 1932 4420 Phjenbhp.exe 100 PID 4420 wrote to memory of 1932 4420 Phjenbhp.exe 100 PID 1932 wrote to memory of 836 1932 Ppamophb.exe 101 PID 1932 wrote to memory of 836 1932 Ppamophb.exe 101 PID 1932 wrote to memory of 836 1932 Ppamophb.exe 101 PID 836 wrote to memory of 4504 836 Pjjahe32.exe 102 PID 836 wrote to memory of 4504 836 Pjjahe32.exe 102 PID 836 wrote to memory of 4504 836 Pjjahe32.exe 102 PID 4504 wrote to memory of 3636 4504 Qgnbaj32.exe 103 PID 4504 wrote to memory of 3636 4504 Qgnbaj32.exe 103 PID 4504 wrote to memory of 3636 4504 Qgnbaj32.exe 103 PID 3636 wrote to memory of 4004 3636 Qqffjo32.exe 104 PID 3636 wrote to memory of 4004 3636 Qqffjo32.exe 104 PID 3636 wrote to memory of 4004 3636 Qqffjo32.exe 104 PID 4004 wrote to memory of 1588 4004 Qjnkcekm.exe 105 PID 4004 wrote to memory of 1588 4004 Qjnkcekm.exe 105 PID 4004 wrote to memory of 1588 4004 Qjnkcekm.exe 105 PID 1588 wrote to memory of 3816 1588 Agbkmijg.exe 106 PID 1588 wrote to memory of 3816 1588 Agbkmijg.exe 106 PID 1588 wrote to memory of 3816 1588 Agbkmijg.exe 106 PID 3816 wrote to memory of 4232 3816 Aqkpeopg.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe"C:\Users\Admin\AppData\Local\Temp\535a002200ccecf700f65f54aa8dd1b139a99f0dc42a5b26c2f7a91e3b4288bbN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:4232 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe25⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe26⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe27⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe28⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe29⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe30⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe33⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe34⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe35⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe36⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe37⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe38⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe39⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe40⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe41⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe42⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe43⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe44⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe45⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe46⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe47⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe48⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe49⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe50⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe51⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe52⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe53⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe54⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe55⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3272 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe57⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe58⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe59⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe61⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe62⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe64⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe65⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe66⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe67⤵PID:4904
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe68⤵PID:2440
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe69⤵PID:1740
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe70⤵PID:3752
-
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe71⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe72⤵PID:4056
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe73⤵PID:2472
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe74⤵PID:4456
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe75⤵PID:1576
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe76⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe77⤵PID:3884
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe78⤵PID:2720
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Edmclccp.exeC:\Windows\system32\Edmclccp.exe80⤵PID:2984
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe81⤵PID:1448
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe82⤵PID:4704
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe83⤵PID:4068
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe84⤵PID:2568
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe85⤵PID:4884
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe86⤵PID:348
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe87⤵
- System Location Discovery: System Language Discovery
PID:4140 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe88⤵PID:4472
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe89⤵PID:4508
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe90⤵PID:852
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe91⤵PID:3992
-
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe92⤵PID:4572
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe93⤵PID:4224
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe95⤵PID:1220
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe96⤵PID:2276
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe97⤵PID:544
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe98⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5056 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe100⤵PID:3900
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe101⤵PID:1284
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe102⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe103⤵PID:2304
-
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe104⤵PID:2460
-
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe105⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe106⤵PID:4132
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe107⤵PID:5136
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe108⤵PID:5180
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe109⤵PID:5224
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5268 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe111⤵PID:5312
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe112⤵PID:5356
-
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe113⤵PID:5400
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe114⤵PID:5448
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe115⤵PID:5492
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe116⤵PID:5536
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe117⤵PID:5580
-
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe118⤵PID:5624
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe120⤵PID:5712
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe121⤵PID:5756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-