Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 03:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe
-
Size
55KB
-
MD5
2f1b1c5e442ae47bdccf2f994e5fc103
-
SHA1
944e59b3a5592673dbaf717f2d0cc3e3f2453f74
-
SHA256
d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9
-
SHA512
866dde3485da30ebc5c8b5109bae5f14d951a71dc36126dfe35f6926fa6c626312772d66f9e63af0dc6b788b53ed45d8e14ac2a8862b331705cce33eaba9d326
-
SSDEEP
1536:n+0xuteAgJCOvAcT7kSo8JgsVipJ92LK:nnuteUyiHsKJOK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgfkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimbkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igajal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikglnkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnfhnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iahlcaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onnmdcjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poaqemao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmnmgnoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhppji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeihb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgffic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qadoba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcjmmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acilajpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljgpkonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emanjldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjngh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3156 Lhdqnj32.exe 1488 Lpkiph32.exe 2520 Lbjelc32.exe 3212 Lehaho32.exe 1736 Lhfmdj32.exe 3220 Lpneegel.exe 5000 Lnqeqd32.exe 4592 Lfhnaa32.exe 3236 Lhijijbg.exe 4496 Lppbkgcj.exe 2272 Lbnngbbn.exe 5076 Lemkcnaa.exe 2576 Lhkgoiqe.exe 3152 Loeolc32.exe 4840 Likcilhh.exe 1328 Llipehgk.exe 3756 Loglacfo.exe 1064 Leadnm32.exe 3604 Mhppji32.exe 4036 Mpghkf32.exe 4728 Mfaqhp32.exe 2184 Mhbmphjm.exe 4320 Mbhamajc.exe 1664 Mhdjehhj.exe 3100 Mlpeff32.exe 4472 Mbjnbqhp.exe 3600 Mhgfkg32.exe 4224 Moaogand.exe 2676 Mfhfhong.exe 3172 Mhicpg32.exe 3876 Mockmala.exe 1716 Mfjcnold.exe 4284 Nhlpfgbb.exe 404 Nlglfe32.exe 752 Noehba32.exe 3436 Neppokal.exe 2024 Nlihle32.exe 2956 Nohehq32.exe 2008 Nebmekoi.exe 2300 Nhpiafnm.exe 1772 Nlleaeff.exe 4460 Ngaionfl.exe 5104 Nipekiep.exe 2624 Nlnbgddc.exe 1800 Npjnhc32.exe 4256 Ngdfdmdi.exe 676 Nibbqicm.exe 3360 Nlqomd32.exe 5088 Ncjginjn.exe 4720 Ogfcjm32.exe 3796 Oidofh32.exe 3076 Olckbd32.exe 4884 Ooagno32.exe 3080 Oghppm32.exe 4992 Ohjlgefb.exe 2264 Olehhc32.exe 4748 Oiihahme.exe 1596 Opcqnb32.exe 1004 Ogmijllo.exe 1072 Oileggkb.exe 3216 Ohnebd32.exe 3288 Oohnonij.exe 996 Ollnhb32.exe 5072 Ookjdn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hplicjok.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Pmaffnce.exe Plpjoe32.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Jpenfp32.exe File created C:\Windows\SysWOW64\Eepmqdbn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe File created C:\Windows\SysWOW64\Fplpll32.exe Flqdlnde.exe File created C:\Windows\SysWOW64\Jjdjoane.exe Jgenbfoa.exe File created C:\Windows\SysWOW64\Oaompd32.exe Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Gmggfp32.exe Gkhkjd32.exe File created C:\Windows\SysWOW64\Ppipkl32.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Lggldm32.exe Ldipha32.exe File created C:\Windows\SysWOW64\Dfglfdkb.exe Dbkqfe32.exe File created C:\Windows\SysWOW64\Lfhnaa32.exe Lnqeqd32.exe File created C:\Windows\SysWOW64\Pidcecbj.dll Phlacbfm.exe File created C:\Windows\SysWOW64\Bedgjgkg.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Hoobdp32.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Nincmhle.dll Likcilhh.exe File opened for modification C:\Windows\SysWOW64\Emehdh32.exe Ejflhm32.exe File created C:\Windows\SysWOW64\Nfamlc32.dll Jpfepf32.exe File opened for modification C:\Windows\SysWOW64\Nflkbanj.exe Ncnofeof.exe File created C:\Windows\SysWOW64\Cfapoa32.dll Bfbaonae.exe File created C:\Windows\SysWOW64\Gpnfge32.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Bajqda32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ckjknfnh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kgmcce32.exe Kenggi32.exe File created C:\Windows\SysWOW64\Neoieenp.exe Nacmdf32.exe File created C:\Windows\SysWOW64\Ejhmqp32.dll Ffclcgfn.exe File created C:\Windows\SysWOW64\Phcgcqab.exe Process not Found File created C:\Windows\SysWOW64\Kdohmibo.dll Lhkgoiqe.exe File opened for modification C:\Windows\SysWOW64\Ddcqedkk.exe Dpgeee32.exe File opened for modification C:\Windows\SysWOW64\Elpkep32.exe Ejoomhmi.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Kkpbin32.exe File opened for modification C:\Windows\SysWOW64\Afjeceml.exe Ackigjmh.exe File created C:\Windows\SysWOW64\Dpnkdq32.exe Dkbocbog.exe File created C:\Windows\SysWOW64\Kloeol32.dll Oboijgbl.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Iljpij32.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Iciaqc32.exe File created C:\Windows\SysWOW64\Plmmif32.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Ekpped32.dll Qklmpalf.exe File created C:\Windows\SysWOW64\Plhnda32.exe Phlacbfm.exe File opened for modification C:\Windows\SysWOW64\Emlenj32.exe Djmibn32.exe File created C:\Windows\SysWOW64\Ahofoogd.exe Process not Found File created C:\Windows\SysWOW64\Gknkpjfb.exe Ghpocngo.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bjbfklei.exe File created C:\Windows\SysWOW64\Nkgdfb32.dll Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Ffpicn32.exe Fdamgb32.exe File opened for modification C:\Windows\SysWOW64\Jiiicf32.exe Jgkmgk32.exe File created C:\Windows\SysWOW64\Ngqpijkf.dll Cimmggfl.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Goglcahb.exe File created C:\Windows\SysWOW64\Ahmjjoig.exe Process not Found File created C:\Windows\SysWOW64\Jhijep32.dll Process not Found File created C:\Windows\SysWOW64\Kelkaj32.exe Kbmoen32.exe File created C:\Windows\SysWOW64\Dmhidbhg.dll Alqjpi32.exe File opened for modification C:\Windows\SysWOW64\Mjpbam32.exe Miofjepg.exe File created C:\Windows\SysWOW64\Ofimgb32.dll Phganm32.exe File created C:\Windows\SysWOW64\Cjliajmo.exe Cbeapmll.exe File created C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Fmplqd32.dll Lfeljd32.exe File created C:\Windows\SysWOW64\Egilaj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lnqeqd32.exe Lpneegel.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fpmggb32.exe File opened for modification C:\Windows\SysWOW64\Fhflnpoi.exe Fpodlbng.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6088 5820 Process not Found 1186 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgpkonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igbalblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iklgah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbaonae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joahqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnedlao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghjjid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlpfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eciplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobilkcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnhidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemkcnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqqdeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdffbake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooejohhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefgbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmoen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempqa32.dll" Nagiji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqmidndd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljejh32.dll" Knfeeimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqdaadln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nincmhle.dll" Likcilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhlkhcm.dll" Npjnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqkpeopg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll" Cfbcke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empoiimf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qadoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pagbaglh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomkkpc.dll" Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaocia32.dll" Idkkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haffcnib.dll" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgflfoob.dll" Gdfoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjfee32.dll" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlleaeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmkcqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhijepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfcklij.dll" Ckeimm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiodpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojenek32.dll" Oclkgccf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmflbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meiioonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iciaqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaaidfk.dll" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqqlgem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnhpoamf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4752 wrote to memory of 3156 4752 d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe 84 PID 4752 wrote to memory of 3156 4752 d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe 84 PID 4752 wrote to memory of 3156 4752 d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe 84 PID 3156 wrote to memory of 1488 3156 Lhdqnj32.exe 85 PID 3156 wrote to memory of 1488 3156 Lhdqnj32.exe 85 PID 3156 wrote to memory of 1488 3156 Lhdqnj32.exe 85 PID 1488 wrote to memory of 2520 1488 Lpkiph32.exe 87 PID 1488 wrote to memory of 2520 1488 Lpkiph32.exe 87 PID 1488 wrote to memory of 2520 1488 Lpkiph32.exe 87 PID 2520 wrote to memory of 3212 2520 Lbjelc32.exe 88 PID 2520 wrote to memory of 3212 2520 Lbjelc32.exe 88 PID 2520 wrote to memory of 3212 2520 Lbjelc32.exe 88 PID 3212 wrote to memory of 1736 3212 Lehaho32.exe 89 PID 3212 wrote to memory of 1736 3212 Lehaho32.exe 89 PID 3212 wrote to memory of 1736 3212 Lehaho32.exe 89 PID 1736 wrote to memory of 3220 1736 Lhfmdj32.exe 90 PID 1736 wrote to memory of 3220 1736 Lhfmdj32.exe 90 PID 1736 wrote to memory of 3220 1736 Lhfmdj32.exe 90 PID 3220 wrote to memory of 5000 3220 Lpneegel.exe 91 PID 3220 wrote to memory of 5000 3220 Lpneegel.exe 91 PID 3220 wrote to memory of 5000 3220 Lpneegel.exe 91 PID 5000 wrote to memory of 4592 5000 Lnqeqd32.exe 92 PID 5000 wrote to memory of 4592 5000 Lnqeqd32.exe 92 PID 5000 wrote to memory of 4592 5000 Lnqeqd32.exe 92 PID 4592 wrote to memory of 3236 4592 Lfhnaa32.exe 93 PID 4592 wrote to memory of 3236 4592 Lfhnaa32.exe 93 PID 4592 wrote to memory of 3236 4592 Lfhnaa32.exe 93 PID 3236 wrote to memory of 4496 3236 Lhijijbg.exe 94 PID 3236 wrote to memory of 4496 3236 Lhijijbg.exe 94 PID 3236 wrote to memory of 4496 3236 Lhijijbg.exe 94 PID 4496 wrote to memory of 2272 4496 Lppbkgcj.exe 95 PID 4496 wrote to memory of 2272 4496 Lppbkgcj.exe 95 PID 4496 wrote to memory of 2272 4496 Lppbkgcj.exe 95 PID 2272 wrote to memory of 5076 2272 Lbnngbbn.exe 96 PID 2272 wrote to memory of 5076 2272 Lbnngbbn.exe 96 PID 2272 wrote to memory of 5076 2272 Lbnngbbn.exe 96 PID 5076 wrote to memory of 2576 5076 Lemkcnaa.exe 98 PID 5076 wrote to memory of 2576 5076 Lemkcnaa.exe 98 PID 5076 wrote to memory of 2576 5076 Lemkcnaa.exe 98 PID 2576 wrote to memory of 3152 2576 Lhkgoiqe.exe 99 PID 2576 wrote to memory of 3152 2576 Lhkgoiqe.exe 99 PID 2576 wrote to memory of 3152 2576 Lhkgoiqe.exe 99 PID 3152 wrote to memory of 4840 3152 Loeolc32.exe 100 PID 3152 wrote to memory of 4840 3152 Loeolc32.exe 100 PID 3152 wrote to memory of 4840 3152 Loeolc32.exe 100 PID 4840 wrote to memory of 1328 4840 Likcilhh.exe 101 PID 4840 wrote to memory of 1328 4840 Likcilhh.exe 101 PID 4840 wrote to memory of 1328 4840 Likcilhh.exe 101 PID 1328 wrote to memory of 3756 1328 Llipehgk.exe 102 PID 1328 wrote to memory of 3756 1328 Llipehgk.exe 102 PID 1328 wrote to memory of 3756 1328 Llipehgk.exe 102 PID 3756 wrote to memory of 1064 3756 Loglacfo.exe 103 PID 3756 wrote to memory of 1064 3756 Loglacfo.exe 103 PID 3756 wrote to memory of 1064 3756 Loglacfo.exe 103 PID 1064 wrote to memory of 3604 1064 Leadnm32.exe 104 PID 1064 wrote to memory of 3604 1064 Leadnm32.exe 104 PID 1064 wrote to memory of 3604 1064 Leadnm32.exe 104 PID 3604 wrote to memory of 4036 3604 Mhppji32.exe 105 PID 3604 wrote to memory of 4036 3604 Mhppji32.exe 105 PID 3604 wrote to memory of 4036 3604 Mhppji32.exe 105 PID 4036 wrote to memory of 4728 4036 Mpghkf32.exe 106 PID 4036 wrote to memory of 4728 4036 Mpghkf32.exe 106 PID 4036 wrote to memory of 4728 4036 Mpghkf32.exe 106 PID 4728 wrote to memory of 2184 4728 Mfaqhp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe"C:\Users\Admin\AppData\Local\Temp\d48e120f4deac636defc5101d825d49d21f414ef19a2a3fb3bda28c79bb953e9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe23⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe24⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe25⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe26⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe27⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe29⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe30⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe31⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe32⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe33⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe34⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe35⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe36⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe37⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe38⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe39⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe40⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe41⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe43⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe44⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe45⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe47⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe48⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe49⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe50⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe51⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe53⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe54⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe55⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe56⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe57⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe58⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe59⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe60⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe62⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe63⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe64⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe65⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe66⤵PID:2308
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe67⤵PID:1396
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe68⤵PID:3232
-
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe69⤵PID:4368
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe70⤵PID:4188
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe71⤵PID:4828
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe72⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe73⤵PID:4180
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe74⤵PID:4104
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe77⤵
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe78⤵PID:5064
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe79⤵PID:3928
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe80⤵PID:4932
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe81⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe82⤵PID:4348
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe83⤵PID:1516
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe84⤵PID:3264
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe85⤵PID:2388
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe88⤵PID:536
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe89⤵PID:4880
-
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe90⤵PID:4208
-
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe91⤵PID:2668
-
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe92⤵
- Modifies registry class
PID:100 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4688 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe94⤵PID:3656
-
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe95⤵PID:2244
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe96⤵PID:512
-
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe97⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe98⤵PID:1224
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe99⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe100⤵PID:1836
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe101⤵PID:3896
-
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe102⤵PID:3048
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe103⤵PID:4296
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe104⤵PID:3296
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe105⤵PID:4124
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe106⤵PID:1952
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe107⤵PID:2404
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe108⤵PID:2800
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe109⤵PID:900
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe110⤵PID:3516
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe111⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5208 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe113⤵PID:5252
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe114⤵PID:5296
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe115⤵PID:5340
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe116⤵PID:5384
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe117⤵PID:5428
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe118⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe119⤵PID:5516
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe120⤵PID:5560
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe121⤵PID:5604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-