Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe
-
Size
79KB
-
MD5
5a0b8214f7acdae1996eb092b22bd980
-
SHA1
eaf846b35a7e34a3265ef4a510972f4b8a75f9e9
-
SHA256
704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aa
-
SHA512
8c01b4d64739eef835021ff8f11b772060308b2256b4e77a38613573d9da1df9bc2194c62294eccfad4a45344ef809bbb09b88e77d4ead9ec2108db57fba0358
-
SSDEEP
1536:vlaKi9J8FD5z47J+gMGHJMMMMMvIULsXZrI1jHJZrR:5Dh4nMGpMMMMMvDmu1jHJ9R
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlieda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbmqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeoooml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfklhhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folaiqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnphmkji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngcje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjpfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhihdcbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhnda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbdikp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piphgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfahbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hheoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjibj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afmhck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkoigdom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkbpoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejchhgid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealadnik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqkigkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caghhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfoplpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqhafffk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdijbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnindhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiglnf32.exe -
Executes dropped EXE 64 IoCs
pid Process 3084 Pcijeb32.exe 4744 Pgefeajb.exe 3752 Pnonbk32.exe 4572 Pdifoehl.exe 904 Pfjcgn32.exe 3436 Pmdkch32.exe 1040 Pcncpbmd.exe 3496 Pflplnlg.exe 5080 Pmfhig32.exe 3824 Pdmpje32.exe 2212 Pfolbmje.exe 4016 Pnfdcjkg.exe 1652 Pdpmpdbd.exe 3428 Pfaigm32.exe 3200 Qnhahj32.exe 2232 Qdbiedpa.exe 1408 Qgqeappe.exe 4484 Qjoankoi.exe 1776 Qqijje32.exe 556 Qgcbgo32.exe 3968 Anmjcieo.exe 4996 Acjclpcf.exe 2200 Afhohlbj.exe 2656 Anogiicl.exe 1552 Aqncedbp.exe 3984 Agglboim.exe 1212 Afjlnk32.exe 4388 Anadoi32.exe 1360 Amddjegd.exe 3964 Aeklkchg.exe 1392 Acnlgp32.exe 3368 Afmhck32.exe 3456 Amgapeea.exe 4760 Acqimo32.exe 2312 Aepefb32.exe 1296 Bmkjkd32.exe 1576 Bganhm32.exe 5092 Bmngqdpj.exe 1712 Bgcknmop.exe 4508 Bjagjhnc.exe 2060 Bmpcfdmg.exe 1200 Balpgb32.exe 3128 Bcjlcn32.exe 4940 Bfhhoi32.exe 3928 Bmbplc32.exe 3552 Banllbdn.exe 2556 Bhhdil32.exe 3656 Bjfaeh32.exe 2760 Bmemac32.exe 3592 Bcoenmao.exe 4620 Cfmajipb.exe 4392 Cndikf32.exe 212 Cenahpha.exe 3684 Cjkjpgfi.exe 376 Ceqnmpfo.exe 1532 Cdcoim32.exe 1664 Ceckcp32.exe 3504 Cfdhkhjj.exe 4172 Cajlhqjp.exe 2192 Cjbpaf32.exe 2476 Cnnlaehj.exe 3524 Dfiafg32.exe 3328 Dejacond.exe 3708 Djgjlelk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Laniklje.dll Dhlpqc32.exe File opened for modification C:\Windows\SysWOW64\Lieccf32.exe Lankbigo.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kcndbp32.exe File created C:\Windows\SysWOW64\Ahippdbe.exe Aaohcj32.exe File created C:\Windows\SysWOW64\Gefklj32.dll Hifcgion.exe File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Cqgkec32.dll Iomcgl32.exe File opened for modification C:\Windows\SysWOW64\Lidmhmnp.exe Lfealaol.exe File created C:\Windows\SysWOW64\Bohbhmfm.exe Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Flinkojm.exe Fikbocki.exe File created C:\Windows\SysWOW64\Bnfihkqm.exe Alelqb32.exe File created C:\Windows\SysWOW64\Figmglee.dll Process not Found File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Micoed32.exe Malgcg32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Process not Found File created C:\Windows\SysWOW64\Ngjkfd32.exe Process not Found File created C:\Windows\SysWOW64\Hcjdeo32.dll Fafdkmap.exe File created C:\Windows\SysWOW64\Ccdnjp32.exe Ckmehb32.exe File created C:\Windows\SysWOW64\Nlljlela.dll Eiobceef.exe File created C:\Windows\SysWOW64\Edflhb32.dll Icknfcol.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Process not Found File created C:\Windows\SysWOW64\Ggqida32.exe Gepmlimi.exe File opened for modification C:\Windows\SysWOW64\Jgadgf32.exe Jdbhkk32.exe File created C:\Windows\SysWOW64\Jhkjmn32.dll Dapkni32.exe File created C:\Windows\SysWOW64\Hhmedh32.dll Akamff32.exe File created C:\Windows\SysWOW64\Mjahlgpf.exe Mgclpkac.exe File created C:\Windows\SysWOW64\Igajal32.exe Ipgbdbqb.exe File opened for modification C:\Windows\SysWOW64\Ggqida32.exe Gepmlimi.exe File created C:\Windows\SysWOW64\Hjdipffl.dll Jbbfdfkn.exe File opened for modification C:\Windows\SysWOW64\Njkkbehl.exe Nhmofj32.exe File created C:\Windows\SysWOW64\Ennqfenp.exe Ekodjiol.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Process not Found File created C:\Windows\SysWOW64\Aoimppcd.dll Pjbkgfej.exe File opened for modification C:\Windows\SysWOW64\Hiiggoaf.exe Hgkkkcbc.exe File created C:\Windows\SysWOW64\Pfogpg32.dll Efffmo32.exe File created C:\Windows\SysWOW64\Hblkjo32.exe Hoaojp32.exe File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Anadoi32.exe File created C:\Windows\SysWOW64\Bfhadc32.exe Bciehh32.exe File created C:\Windows\SysWOW64\Adfonlkp.dll Jofalmmp.exe File created C:\Windows\SysWOW64\Hhhjoabm.dll Gipdap32.exe File created C:\Windows\SysWOW64\Oelolmnd.exe Omegjomb.exe File created C:\Windows\SysWOW64\Nhpbfpka.exe Neafjdkn.exe File created C:\Windows\SysWOW64\Kmmmic32.dll Ohlimd32.exe File created C:\Windows\SysWOW64\Bqkill32.exe Bidqko32.exe File opened for modification C:\Windows\SysWOW64\Ggpbjkpl.exe Gdafnpqh.exe File created C:\Windows\SysWOW64\Phganm32.exe Peieba32.exe File created C:\Windows\SysWOW64\Iecgdnkl.dll Bkdcbd32.exe File created C:\Windows\SysWOW64\Eblpgjha.exe Epndknin.exe File created C:\Windows\SysWOW64\Gekcaj32.exe Foqkdp32.exe File created C:\Windows\SysWOW64\Madccamk.dll Ifleoe32.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Alelqb32.exe Ahippdbe.exe File created C:\Windows\SysWOW64\Ineedcfb.dll Coadnlnb.exe File created C:\Windows\SysWOW64\Nacmdf32.exe Nbqmiinl.exe File created C:\Windows\SysWOW64\Nhahaiec.exe Neclenfo.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bganhm32.exe File opened for modification C:\Windows\SysWOW64\Dfhjkabi.exe Dpnbog32.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Process not Found File created C:\Windows\SysWOW64\Cpfcfmlp.exe Process not Found File created C:\Windows\SysWOW64\Daconoae.exe Dfnjafap.exe File created C:\Windows\SysWOW64\Jieqei32.dll Jgdhgmep.exe File created C:\Windows\SysWOW64\Ganmcc32.dll Hjhalefe.exe File created C:\Windows\SysWOW64\Pldcjeia.exe Pejkmk32.exe File opened for modification C:\Windows\SysWOW64\Ocamjm32.exe Oofaiokl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8512 8376 Process not Found 1298 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajlhqjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflplnlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcjmmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggilil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfaefkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpendjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmlhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgjjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onpjichj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbnbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknbil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjajeqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhifjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neccpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnfge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhihdcbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbfklei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefabkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiggbhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhpdcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjlgefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlieda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahdik32.dll" Idgojc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgcbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aehgnied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgbhfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjahlgpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnikd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceckcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecgdnkl.dll" Bkdcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnhahj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfillg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhonib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll" Ebgpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaplg32.dll" Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emekpbca.dll" Qoifflkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiaci32.dll" Aodfajaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnjdgj.dll" Djfcaohp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll" Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlmgopjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll" Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohgoaehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dckdjomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicdfa32.dll" Ljbfpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poajkgnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghpendjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djcoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkkmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbponhh.dll" Llipehgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgpgng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehiffj32.dll" Gijekg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3468 wrote to memory of 3084 3468 704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe 85 PID 3468 wrote to memory of 3084 3468 704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe 85 PID 3468 wrote to memory of 3084 3468 704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe 85 PID 3084 wrote to memory of 4744 3084 Pcijeb32.exe 86 PID 3084 wrote to memory of 4744 3084 Pcijeb32.exe 86 PID 3084 wrote to memory of 4744 3084 Pcijeb32.exe 86 PID 4744 wrote to memory of 3752 4744 Pgefeajb.exe 87 PID 4744 wrote to memory of 3752 4744 Pgefeajb.exe 87 PID 4744 wrote to memory of 3752 4744 Pgefeajb.exe 87 PID 3752 wrote to memory of 4572 3752 Pnonbk32.exe 88 PID 3752 wrote to memory of 4572 3752 Pnonbk32.exe 88 PID 3752 wrote to memory of 4572 3752 Pnonbk32.exe 88 PID 4572 wrote to memory of 904 4572 Pdifoehl.exe 89 PID 4572 wrote to memory of 904 4572 Pdifoehl.exe 89 PID 4572 wrote to memory of 904 4572 Pdifoehl.exe 89 PID 904 wrote to memory of 3436 904 Pfjcgn32.exe 91 PID 904 wrote to memory of 3436 904 Pfjcgn32.exe 91 PID 904 wrote to memory of 3436 904 Pfjcgn32.exe 91 PID 3436 wrote to memory of 1040 3436 Pmdkch32.exe 92 PID 3436 wrote to memory of 1040 3436 Pmdkch32.exe 92 PID 3436 wrote to memory of 1040 3436 Pmdkch32.exe 92 PID 1040 wrote to memory of 3496 1040 Pcncpbmd.exe 93 PID 1040 wrote to memory of 3496 1040 Pcncpbmd.exe 93 PID 1040 wrote to memory of 3496 1040 Pcncpbmd.exe 93 PID 3496 wrote to memory of 5080 3496 Pflplnlg.exe 94 PID 3496 wrote to memory of 5080 3496 Pflplnlg.exe 94 PID 3496 wrote to memory of 5080 3496 Pflplnlg.exe 94 PID 5080 wrote to memory of 3824 5080 Pmfhig32.exe 95 PID 5080 wrote to memory of 3824 5080 Pmfhig32.exe 95 PID 5080 wrote to memory of 3824 5080 Pmfhig32.exe 95 PID 3824 wrote to memory of 2212 3824 Pdmpje32.exe 96 PID 3824 wrote to memory of 2212 3824 Pdmpje32.exe 96 PID 3824 wrote to memory of 2212 3824 Pdmpje32.exe 96 PID 2212 wrote to memory of 4016 2212 Pfolbmje.exe 97 PID 2212 wrote to memory of 4016 2212 Pfolbmje.exe 97 PID 2212 wrote to memory of 4016 2212 Pfolbmje.exe 97 PID 4016 wrote to memory of 1652 4016 Pnfdcjkg.exe 98 PID 4016 wrote to memory of 1652 4016 Pnfdcjkg.exe 98 PID 4016 wrote to memory of 1652 4016 Pnfdcjkg.exe 98 PID 1652 wrote to memory of 3428 1652 Pdpmpdbd.exe 99 PID 1652 wrote to memory of 3428 1652 Pdpmpdbd.exe 99 PID 1652 wrote to memory of 3428 1652 Pdpmpdbd.exe 99 PID 3428 wrote to memory of 3200 3428 Pfaigm32.exe 100 PID 3428 wrote to memory of 3200 3428 Pfaigm32.exe 100 PID 3428 wrote to memory of 3200 3428 Pfaigm32.exe 100 PID 3200 wrote to memory of 2232 3200 Qnhahj32.exe 101 PID 3200 wrote to memory of 2232 3200 Qnhahj32.exe 101 PID 3200 wrote to memory of 2232 3200 Qnhahj32.exe 101 PID 2232 wrote to memory of 1408 2232 Qdbiedpa.exe 102 PID 2232 wrote to memory of 1408 2232 Qdbiedpa.exe 102 PID 2232 wrote to memory of 1408 2232 Qdbiedpa.exe 102 PID 1408 wrote to memory of 4484 1408 Qgqeappe.exe 103 PID 1408 wrote to memory of 4484 1408 Qgqeappe.exe 103 PID 1408 wrote to memory of 4484 1408 Qgqeappe.exe 103 PID 4484 wrote to memory of 1776 4484 Qjoankoi.exe 104 PID 4484 wrote to memory of 1776 4484 Qjoankoi.exe 104 PID 4484 wrote to memory of 1776 4484 Qjoankoi.exe 104 PID 1776 wrote to memory of 556 1776 Qqijje32.exe 105 PID 1776 wrote to memory of 556 1776 Qqijje32.exe 105 PID 1776 wrote to memory of 556 1776 Qqijje32.exe 105 PID 556 wrote to memory of 3968 556 Qgcbgo32.exe 106 PID 556 wrote to memory of 3968 556 Qgcbgo32.exe 106 PID 556 wrote to memory of 3968 556 Qgcbgo32.exe 106 PID 3968 wrote to memory of 4996 3968 Anmjcieo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe"C:\Users\Admin\AppData\Local\Temp\704f04a0fbb3d36313fdcc70c30dcebf050df5ff743b3f765ac39c60a55736aaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Pfaigm32.exeC:\Windows\system32\Pfaigm32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Qdbiedpa.exeC:\Windows\system32\Qdbiedpa.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Anmjcieo.exeC:\Windows\system32\Anmjcieo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe23⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe24⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe25⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe26⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe27⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe28⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe30⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe31⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe32⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe34⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe35⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Aepefb32.exeC:\Windows\system32\Aepefb32.exe36⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe37⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe39⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe40⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe42⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe43⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe44⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe46⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Banllbdn.exeC:\Windows\system32\Banllbdn.exe47⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe48⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe49⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe50⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe51⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe52⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe53⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe54⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe55⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe56⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe57⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe59⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe61⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe62⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe63⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe64⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe65⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe66⤵PID:836
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe67⤵PID:1340
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe68⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe69⤵PID:1216
-
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe70⤵PID:2868
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe71⤵PID:1072
-
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe72⤵PID:4360
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe73⤵PID:1536
-
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe74⤵PID:404
-
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe75⤵PID:3672
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe76⤵PID:3804
-
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe77⤵PID:2788
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe78⤵PID:3584
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe80⤵PID:1912
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe81⤵
- System Location Discovery: System Language Discovery
PID:4636 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe82⤵PID:2940
-
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe84⤵PID:4128
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe85⤵PID:3164
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe87⤵PID:2692
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe88⤵PID:1796
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe89⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe90⤵PID:1332
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:64 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe92⤵PID:1480
-
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:800 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe94⤵PID:216
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe95⤵PID:3644
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe96⤵PID:3748
-
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe97⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe98⤵
- Drops file in System32 directory
PID:4652 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe99⤵PID:4964
-
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe100⤵PID:3356
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe102⤵PID:5148
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe103⤵PID:5192
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe104⤵PID:5236
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe105⤵PID:5284
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe106⤵
- Drops file in System32 directory
PID:5328 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe107⤵PID:5372
-
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe108⤵PID:5416
-
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe109⤵PID:5456
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe111⤵PID:5544
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe112⤵PID:5588
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe113⤵PID:5628
-
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe114⤵PID:5676
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe116⤵PID:5764
-
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5808 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe118⤵PID:5852
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe120⤵PID:5940
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe121⤵PID:5984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-