Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 11:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe
-
Size
80KB
-
MD5
a4339f119a6c93f7a05560b8a95f83a0
-
SHA1
b52962b956ae9430b0aae1a865a58f4693e369df
-
SHA256
47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749
-
SHA512
5d79ffeb7c1c4df9379a2b582456de86ac57b428936a78e6faa67b28ae31f5a315009908361c2a2ef39ee57ba7944273ac5f3dd3a1f8480d1472c00b66dac1e5
-
SSDEEP
1536:FCSg4WcqTEEOYnUufJXfl/iD22Ltmwfi+TjRC/6y:VWcKEMPf5N/iDb4wf1TjYD
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkkde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbmag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighgadfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkioni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnoakdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnanqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgnahkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbimmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhpppobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfbpdhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjnmecod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olnbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqefpfkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbhoikm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngejiffo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fainjong.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjjgiha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihjle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjeel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnboi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokcab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipqgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcjna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdgqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaogicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnkfgni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflkhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpold32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdmcaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oioofi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbocj32.exe -
Executes dropped EXE 64 IoCs
pid Process 4840 Cfhhepjm.exe 4676 Cmbpaj32.exe 1120 Cdlhnd32.exe 3716 Cfjejp32.exe 1872 Dmdmgjpg.exe 3168 Ddnedd32.exe 4216 Djhmqnnq.exe 2808 Dodiam32.exe 3604 Denang32.exe 2964 Dfoneode.exe 3560 Doffgmdg.exe 4480 Dmifbi32.exe 3780 Dhokpb32.exe 2064 Dfakkobb.exe 5104 Dmkchi32.exe 2604 Ddekdc32.exe 4956 Dgdgqo32.exe 3776 Deehofho.exe 628 Egfdfn32.exe 4672 Eomlgk32.exe 1920 Edjepb32.exe 3316 Eghalnlj.exe 2968 Eopimkml.exe 4824 Eaneiflp.exe 4316 Edlaebkd.exe 548 Egknanjg.exe 2812 Emefng32.exe 1000 Eelnoe32.exe 1796 Edonkaia.exe 4884 Ekifglpn.exe 672 Eodbhj32.exe 1580 Eabodf32.exe 3124 Edakpa32.exe 2916 Egpglm32.exe 4092 Ekkcmknk.exe 3860 Eeqgjdna.exe 756 Fhocfpme.exe 1640 Foilcjdb.exe 3708 Fkpmhk32.exe 544 Fnnidf32.exe 4920 Fhcmao32.exe 3016 Fnqejfgg.exe 2328 Fhfjgogm.exe 3580 Fkdfcjfq.exe 1688 Fejjqcff.exe 2692 Fdmjlp32.exe 3700 Fgkfhk32.exe 2932 Foboih32.exe 4832 Faqkedkk.exe 1924 Gdogaojo.exe 3908 Gkioni32.exe 3680 Gnglje32.exe 3552 Geoclb32.exe 4232 Ghmphn32.exe 1420 Goghdhhb.exe 2760 Geapabpo.exe 3244 Gddqmo32.exe 4496 Gnleedmj.exe 2544 Gdfmbn32.exe 3684 Gnoakdkg.exe 1352 Gdhjhnbd.exe 4740 Gnanqc32.exe 1164 Galjabam.exe 2192 Hkeojh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkbhcale.exe Phdlgfma.exe File created C:\Windows\SysWOW64\Hppbcl32.exe Hmafgqlo.exe File created C:\Windows\SysWOW64\Oflkhg32.exe Opbckm32.exe File created C:\Windows\SysWOW64\Jlpalkdc.dll Process not Found File created C:\Windows\SysWOW64\Dhkoha32.exe Process not Found File created C:\Windows\SysWOW64\Ddlcbc32.dll Kifnaa32.exe File opened for modification C:\Windows\SysWOW64\Popqjpbk.exe Phfhmeko.exe File created C:\Windows\SysWOW64\Ecebinga.dll Fkhnpaki.exe File opened for modification C:\Windows\SysWOW64\Jialng32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Koeabc32.exe Klgeehda.exe File opened for modification C:\Windows\SysWOW64\Hhhdghgd.exe Process not Found File created C:\Windows\SysWOW64\Khonbdoj.exe Kilngg32.exe File created C:\Windows\SysWOW64\Nefmoc32.exe Npiegl32.exe File opened for modification C:\Windows\SysWOW64\Phfhmeko.exe Pehlajkk.exe File opened for modification C:\Windows\SysWOW64\Odliqbkj.exe Oanmdglf.exe File opened for modification C:\Windows\SysWOW64\Ffgecicd.exe Fbkibj32.exe File created C:\Windows\SysWOW64\Majaoc32.dll Nljnla32.exe File opened for modification C:\Windows\SysWOW64\Opbckm32.exe Omdgob32.exe File opened for modification C:\Windows\SysWOW64\Edonkaia.exe Eelnoe32.exe File created C:\Windows\SysWOW64\Fhdigj32.dll Pcipeolg.exe File created C:\Windows\SysWOW64\Dgcdnf32.dll Lqldle32.exe File opened for modification C:\Windows\SysWOW64\Gnnkqngk.exe Gibopo32.exe File opened for modification C:\Windows\SysWOW64\Bliceaom.exe Ajkgiepi.exe File opened for modification C:\Windows\SysWOW64\Dnokdp32.exe Ckqohd32.exe File opened for modification C:\Windows\SysWOW64\Glljghee.exe Process not Found File created C:\Windows\SysWOW64\Fmbkeoai.exe Fghche32.exe File opened for modification C:\Windows\SysWOW64\Pajckl32.exe Polgoq32.exe File created C:\Windows\SysWOW64\Nbfgbf32.dll Cmjllopj.exe File created C:\Windows\SysWOW64\Fkogcd32.dll Aonfqgbp.exe File created C:\Windows\SysWOW64\Mikfbf32.dll Iggokg32.exe File created C:\Windows\SysWOW64\Jnlpiimi.exe Jjadhk32.exe File created C:\Windows\SysWOW64\Apbcei32.dll Eedcmh32.exe File opened for modification C:\Windows\SysWOW64\Bgmmfc32.exe Process not Found File created C:\Windows\SysWOW64\Bekkghqo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fakkpnld.exe Fkabcd32.exe File created C:\Windows\SysWOW64\Fgnhjl32.exe Process not Found File created C:\Windows\SysWOW64\Dkfgdgbd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iqomiffj.exe Ijedll32.exe File opened for modification C:\Windows\SysWOW64\Giahei32.exe Ggclim32.exe File created C:\Windows\SysWOW64\Ikpqikjg.dll Gpdcgnep.exe File created C:\Windows\SysWOW64\Klgeehda.exe Kjiiimem.exe File created C:\Windows\SysWOW64\Dncfdeic.dll Process not Found File created C:\Windows\SysWOW64\Dlgkhfag.dll Foilcjdb.exe File created C:\Windows\SysWOW64\Bckimq32.exe Bmaqpflq.exe File opened for modification C:\Windows\SysWOW64\Mgdijn32.exe Mcimjogc.exe File created C:\Windows\SysWOW64\Fjlmla32.exe Process not Found File created C:\Windows\SysWOW64\Pglooeif.dll Process not Found File created C:\Windows\SysWOW64\Gcbnfd32.exe Process not Found File created C:\Windows\SysWOW64\Mpkhenmd.exe Mhdqdamb.exe File opened for modification C:\Windows\SysWOW64\Noglgj32.exe Nliokn32.exe File created C:\Windows\SysWOW64\Cbhkooic.exe Cojnccjp.exe File opened for modification C:\Windows\SysWOW64\Ekahobaa.exe Eegpbh32.exe File opened for modification C:\Windows\SysWOW64\Fjlmla32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Donadmbo.exe Process not Found File created C:\Windows\SysWOW64\Fiakee32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dhokpb32.exe Dmifbi32.exe File opened for modification C:\Windows\SysWOW64\Eabodf32.exe Eodbhj32.exe File created C:\Windows\SysWOW64\Ckdcffoc.dll Ccahcijj.exe File created C:\Windows\SysWOW64\Iibbnobh.dll Icfljmhj.exe File opened for modification C:\Windows\SysWOW64\Bnjibc32.exe Bkkmfg32.exe File opened for modification C:\Windows\SysWOW64\Cikknfeo.exe Process not Found File created C:\Windows\SysWOW64\Ohpigm32.exe Ogomoend.exe File opened for modification C:\Windows\SysWOW64\Ejfcgf32.exe Edlkklgh.exe File created C:\Windows\SysWOW64\Ljipmm32.dll Lnflff32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11948 12284 Process not Found 1534 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljnla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbiem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbmhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehlajkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjejohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpkamcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igiefq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqkleell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbddld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfljmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcdbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbhcale.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoakdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhioclgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdchho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipieikcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlpiimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanmdglf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekahobaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpfnlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obefjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpamhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoapkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabqqmfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hccodmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeepfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfghcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciigpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaaikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eedcmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpimbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighgadfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbnbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohpigm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poeaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnnapja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfnnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcceolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfakkobb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjdjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngbpkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgbbkmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpklhpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmokhajg.dll" Fmbkeoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noknhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimqji32.dll" Idehdpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phfgbc32.dll" Aqefpfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnknnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmfllo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fejeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflceppn.dll" Noknhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpggiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdhdheq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epebai32.dll" Gbginh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhjmqgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnpnkh32.dll" Knfjinhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcqcmkci.dll" Ccpbhpph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdaifd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahglbbcn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aapden32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdmpbab.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbhbmkd.dll" Gkioni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edgapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcjdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alndibij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldnob32.dll" Mfbpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcfpfnl.dll" Lenngfcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hanplllo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoibd32.dll" Pajckl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahkkob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekifglpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeoikl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbplchfo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbkeoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjilfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbggbabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckqohd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggclim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfljmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iehkga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbpkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfhep32.dll" Aofjfcco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhcfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdhch32.dll" Pehlajkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpakni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emfeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdmme32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlhhqhie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbnqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnpdin32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpbdmom.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgkg32.dll" Gdfmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjlbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlnna32.dll" Mhjpjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcipeolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghoal32.dll" Eegpbh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4840 4960 47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe 83 PID 4960 wrote to memory of 4840 4960 47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe 83 PID 4960 wrote to memory of 4840 4960 47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe 83 PID 4840 wrote to memory of 4676 4840 Cfhhepjm.exe 84 PID 4840 wrote to memory of 4676 4840 Cfhhepjm.exe 84 PID 4840 wrote to memory of 4676 4840 Cfhhepjm.exe 84 PID 4676 wrote to memory of 1120 4676 Cmbpaj32.exe 85 PID 4676 wrote to memory of 1120 4676 Cmbpaj32.exe 85 PID 4676 wrote to memory of 1120 4676 Cmbpaj32.exe 85 PID 1120 wrote to memory of 3716 1120 Cdlhnd32.exe 87 PID 1120 wrote to memory of 3716 1120 Cdlhnd32.exe 87 PID 1120 wrote to memory of 3716 1120 Cdlhnd32.exe 87 PID 3716 wrote to memory of 1872 3716 Cfjejp32.exe 88 PID 3716 wrote to memory of 1872 3716 Cfjejp32.exe 88 PID 3716 wrote to memory of 1872 3716 Cfjejp32.exe 88 PID 1872 wrote to memory of 3168 1872 Dmdmgjpg.exe 89 PID 1872 wrote to memory of 3168 1872 Dmdmgjpg.exe 89 PID 1872 wrote to memory of 3168 1872 Dmdmgjpg.exe 89 PID 3168 wrote to memory of 4216 3168 Ddnedd32.exe 91 PID 3168 wrote to memory of 4216 3168 Ddnedd32.exe 91 PID 3168 wrote to memory of 4216 3168 Ddnedd32.exe 91 PID 4216 wrote to memory of 2808 4216 Djhmqnnq.exe 92 PID 4216 wrote to memory of 2808 4216 Djhmqnnq.exe 92 PID 4216 wrote to memory of 2808 4216 Djhmqnnq.exe 92 PID 2808 wrote to memory of 3604 2808 Dodiam32.exe 93 PID 2808 wrote to memory of 3604 2808 Dodiam32.exe 93 PID 2808 wrote to memory of 3604 2808 Dodiam32.exe 93 PID 3604 wrote to memory of 2964 3604 Denang32.exe 94 PID 3604 wrote to memory of 2964 3604 Denang32.exe 94 PID 3604 wrote to memory of 2964 3604 Denang32.exe 94 PID 2964 wrote to memory of 3560 2964 Dfoneode.exe 96 PID 2964 wrote to memory of 3560 2964 Dfoneode.exe 96 PID 2964 wrote to memory of 3560 2964 Dfoneode.exe 96 PID 3560 wrote to memory of 4480 3560 Doffgmdg.exe 97 PID 3560 wrote to memory of 4480 3560 Doffgmdg.exe 97 PID 3560 wrote to memory of 4480 3560 Doffgmdg.exe 97 PID 4480 wrote to memory of 3780 4480 Dmifbi32.exe 98 PID 4480 wrote to memory of 3780 4480 Dmifbi32.exe 98 PID 4480 wrote to memory of 3780 4480 Dmifbi32.exe 98 PID 3780 wrote to memory of 2064 3780 Dhokpb32.exe 99 PID 3780 wrote to memory of 2064 3780 Dhokpb32.exe 99 PID 3780 wrote to memory of 2064 3780 Dhokpb32.exe 99 PID 2064 wrote to memory of 5104 2064 Dfakkobb.exe 100 PID 2064 wrote to memory of 5104 2064 Dfakkobb.exe 100 PID 2064 wrote to memory of 5104 2064 Dfakkobb.exe 100 PID 5104 wrote to memory of 2604 5104 Dmkchi32.exe 101 PID 5104 wrote to memory of 2604 5104 Dmkchi32.exe 101 PID 5104 wrote to memory of 2604 5104 Dmkchi32.exe 101 PID 2604 wrote to memory of 4956 2604 Ddekdc32.exe 102 PID 2604 wrote to memory of 4956 2604 Ddekdc32.exe 102 PID 2604 wrote to memory of 4956 2604 Ddekdc32.exe 102 PID 4956 wrote to memory of 3776 4956 Dgdgqo32.exe 103 PID 4956 wrote to memory of 3776 4956 Dgdgqo32.exe 103 PID 4956 wrote to memory of 3776 4956 Dgdgqo32.exe 103 PID 3776 wrote to memory of 628 3776 Deehofho.exe 104 PID 3776 wrote to memory of 628 3776 Deehofho.exe 104 PID 3776 wrote to memory of 628 3776 Deehofho.exe 104 PID 628 wrote to memory of 4672 628 Egfdfn32.exe 105 PID 628 wrote to memory of 4672 628 Egfdfn32.exe 105 PID 628 wrote to memory of 4672 628 Egfdfn32.exe 105 PID 4672 wrote to memory of 1920 4672 Eomlgk32.exe 106 PID 4672 wrote to memory of 1920 4672 Eomlgk32.exe 106 PID 4672 wrote to memory of 1920 4672 Eomlgk32.exe 106 PID 1920 wrote to memory of 3316 1920 Edjepb32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe"C:\Users\Admin\AppData\Local\Temp\47b12d5b4e268e83ea899dbbae29808a66dfbddfe43908ba7369091f80390749N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Cfhhepjm.exeC:\Windows\system32\Cfhhepjm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Cmbpaj32.exeC:\Windows\system32\Cmbpaj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Cdlhnd32.exeC:\Windows\system32\Cdlhnd32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Cfjejp32.exeC:\Windows\system32\Cfjejp32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Dmdmgjpg.exeC:\Windows\system32\Dmdmgjpg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Ddnedd32.exeC:\Windows\system32\Ddnedd32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Djhmqnnq.exeC:\Windows\system32\Djhmqnnq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Dodiam32.exeC:\Windows\system32\Dodiam32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Denang32.exeC:\Windows\system32\Denang32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Dfoneode.exeC:\Windows\system32\Dfoneode.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Doffgmdg.exeC:\Windows\system32\Doffgmdg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Dmifbi32.exeC:\Windows\system32\Dmifbi32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Dhokpb32.exeC:\Windows\system32\Dhokpb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Dfakkobb.exeC:\Windows\system32\Dfakkobb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Dmkchi32.exeC:\Windows\system32\Dmkchi32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ddekdc32.exeC:\Windows\system32\Ddekdc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Dgdgqo32.exeC:\Windows\system32\Dgdgqo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Deehofho.exeC:\Windows\system32\Deehofho.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Egfdfn32.exeC:\Windows\system32\Egfdfn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Eomlgk32.exeC:\Windows\system32\Eomlgk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\Edjepb32.exeC:\Windows\system32\Edjepb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Eghalnlj.exeC:\Windows\system32\Eghalnlj.exe23⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Eopimkml.exeC:\Windows\system32\Eopimkml.exe24⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Eaneiflp.exeC:\Windows\system32\Eaneiflp.exe25⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Edlaebkd.exeC:\Windows\system32\Edlaebkd.exe26⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Egknanjg.exeC:\Windows\system32\Egknanjg.exe27⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Emefng32.exeC:\Windows\system32\Emefng32.exe28⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Eelnoe32.exeC:\Windows\system32\Eelnoe32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Edonkaia.exeC:\Windows\system32\Edonkaia.exe30⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ekifglpn.exeC:\Windows\system32\Ekifglpn.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\Eodbhj32.exeC:\Windows\system32\Eodbhj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Eabodf32.exeC:\Windows\system32\Eabodf32.exe33⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Edakpa32.exeC:\Windows\system32\Edakpa32.exe34⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Egpglm32.exeC:\Windows\system32\Egpglm32.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ekkcmknk.exeC:\Windows\system32\Ekkcmknk.exe36⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Eeqgjdna.exeC:\Windows\system32\Eeqgjdna.exe37⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Fhocfpme.exeC:\Windows\system32\Fhocfpme.exe38⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Foilcjdb.exeC:\Windows\system32\Foilcjdb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Fkpmhk32.exeC:\Windows\system32\Fkpmhk32.exe40⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe41⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe42⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe43⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe44⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fkdfcjfq.exeC:\Windows\system32\Fkdfcjfq.exe45⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe47⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Fgkfhk32.exeC:\Windows\system32\Fgkfhk32.exe48⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Faqkedkk.exeC:\Windows\system32\Faqkedkk.exe50⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe51⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gkioni32.exeC:\Windows\system32\Gkioni32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe53⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe54⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Ghmphn32.exeC:\Windows\system32\Ghmphn32.exe55⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe56⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe57⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe58⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe59⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe62⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe64⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe65⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe66⤵PID:2480
-
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe67⤵
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe68⤵PID:112
-
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe69⤵PID:3616
-
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe70⤵PID:460
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe71⤵PID:4988
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe72⤵PID:2716
-
C:\Windows\SysWOW64\Hfaihp32.exeC:\Windows\system32\Hfaihp32.exe73⤵PID:3112
-
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe74⤵PID:4924
-
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe75⤵PID:2100
-
C:\Windows\SysWOW64\Hbhjmqgp.exeC:\Windows\system32\Hbhjmqgp.exe76⤵
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe77⤵PID:2632
-
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe78⤵PID:532
-
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe79⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe80⤵PID:4156
-
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe81⤵PID:3948
-
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe82⤵PID:1712
-
C:\Windows\SysWOW64\Iilepi32.exeC:\Windows\system32\Iilepi32.exe83⤵PID:3032
-
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe84⤵PID:4808
-
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe85⤵PID:520
-
C:\Windows\SysWOW64\Jgcofe32.exeC:\Windows\system32\Jgcofe32.exe86⤵PID:392
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe87⤵PID:3280
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe88⤵PID:1032
-
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe89⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe91⤵PID:4696
-
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe92⤵PID:5024
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe93⤵
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe94⤵PID:5100
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe95⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe96⤵PID:2252
-
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe97⤵PID:2660
-
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe98⤵PID:5036
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe99⤵PID:4644
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe100⤵PID:952
-
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Khchmc32.exeC:\Windows\system32\Khchmc32.exe102⤵PID:1576
-
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe103⤵PID:4004
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe104⤵PID:3668
-
C:\Windows\SysWOW64\Keghgg32.exeC:\Windows\system32\Keghgg32.exe105⤵PID:2644
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe106⤵PID:2168
-
C:\Windows\SysWOW64\Lnpmpmpo.exeC:\Windows\system32\Lnpmpmpo.exe107⤵PID:5144
-
C:\Windows\SysWOW64\Lejelg32.exeC:\Windows\system32\Lejelg32.exe108⤵PID:5188
-
C:\Windows\SysWOW64\Llcmia32.exeC:\Windows\system32\Llcmia32.exe109⤵PID:5232
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe111⤵PID:5316
-
C:\Windows\SysWOW64\Lihnbe32.exeC:\Windows\system32\Lihnbe32.exe112⤵PID:5360
-
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe113⤵PID:5400
-
C:\Windows\SysWOW64\Lbpbkkdc.exeC:\Windows\system32\Lbpbkkdc.exe114⤵PID:5444
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe115⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe116⤵PID:5528
-
C:\Windows\SysWOW64\Logbpljg.exeC:\Windows\system32\Logbpljg.exe117⤵PID:5572
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe118⤵PID:5616
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe119⤵PID:5660
-
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe120⤵PID:5704
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe121⤵
- Modifies registry class
PID:5748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-