Analysis
-
max time kernel
94s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe
Resource
win10v2004-20241007-en
General
-
Target
fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe
-
Size
419KB
-
MD5
ecfa6f9d0a707fc35c819746bcf99f93
-
SHA1
342166868e8b1d4b6063f08d99ff4aa8861951e6
-
SHA256
fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2
-
SHA512
12d970d99abd75b318e8650296f9bf7884ec78af1083f1278d24ea243287b4991c686f6986934b3d4cc6945c0f3b7bfec9bc3fea03555850fb585f860fe9ee6e
-
SSDEEP
6144:ahPc6kAyByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R1L/gBSfGmtE1se:ajkFByvNv54B9f01ZmHByvNv5fJPGs
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnonkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaekqhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amqhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnjdpaki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojiqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nheble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahgjejhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnfpinmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocopdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gikkfqmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnmkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgmgqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbcke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkkhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikndgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dimenegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgicgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bggnof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhiemoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejchhgid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjmcnbdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmfcok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niakfbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaindh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbgeno32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 912 Nhlpfgbb.exe 4788 Npchgdcd.exe 2604 Noehba32.exe 3672 Nohehq32.exe 4208 Ngomin32.exe 952 Nebmekoi.exe 3728 Nedjjj32.exe 4008 Nhbfff32.exe 100 Nchjdo32.exe 3932 Nheble32.exe 5104 Ncjginjn.exe 2772 Ogfcjm32.exe 2720 Oeicejia.exe 1160 Ocmconhk.exe 2408 Oigllh32.exe 3748 Ocopdn32.exe 880 Oenlqi32.exe 4784 Olgemcli.exe 2292 Oofaiokl.exe 1776 Ocamjm32.exe 2556 Oepifi32.exe 4028 Ogpepl32.exe 1952 Ohqbhdpj.exe 3268 Ophjiaql.exe 4468 Pgbbek32.exe 2452 Ppjgoaoj.exe 1068 Pomgjn32.exe 4676 Pjbkgfej.exe 860 Phelcc32.exe 2444 Pgflqkdd.exe 692 Ppopjp32.exe 3668 Pcmlfl32.exe 4296 Pjgebf32.exe 4312 Pleaoa32.exe 4460 Ppamophb.exe 4496 Pcpikkge.exe 3776 Pjjahe32.exe 408 Plhnda32.exe 2060 Pofjpl32.exe 1584 Qgnbaj32.exe 5096 Qjlnnemp.exe 2016 Qljjjqlc.exe 4316 Qqffjo32.exe 1040 Qcdbfk32.exe 4520 Qfbobf32.exe 3412 Qhakoa32.exe 532 Qqhcpo32.exe 1372 Agbkmijg.exe 2092 Ajqgidij.exe 796 Ahchda32.exe 3692 Aqkpeopg.exe 4828 Aompak32.exe 1504 Afghneoo.exe 1756 Ahfdjanb.exe 1804 Aqmlknnd.exe 440 Ackigjmh.exe 5044 Aihaoqlp.exe 3424 Aqoiqn32.exe 3460 Acnemi32.exe 3648 Aflaie32.exe 3996 Aijnep32.exe 916 Aodfajaj.exe 4336 Aglnbhal.exe 548 Ajjjocap.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pjjahe32.exe Pcpikkge.exe File created C:\Windows\SysWOW64\Cgndoeag.exe Cpglnhad.exe File created C:\Windows\SysWOW64\Jbnnbmfj.dll Ooqqdi32.exe File created C:\Windows\SysWOW64\Cmmbbejp.exe Cfcjfk32.exe File created C:\Windows\SysWOW64\Dhhdcojj.dll Gingkqkd.exe File opened for modification C:\Windows\SysWOW64\Qiiflaoo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djfcaohp.exe Dfjgaq32.exe File created C:\Windows\SysWOW64\Inhdfkln.dll Dfmcfp32.exe File opened for modification C:\Windows\SysWOW64\Aahbbkaq.exe Aojefobm.exe File opened for modification C:\Windows\SysWOW64\Clchbqoo.exe Cdlqqcnl.exe File created C:\Windows\SysWOW64\Nlkppnab.dll Process not Found File opened for modification C:\Windows\SysWOW64\Plhnda32.exe Pjjahe32.exe File created C:\Windows\SysWOW64\Appnje32.dll Jjafok32.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Aahbbkaq.exe File created C:\Windows\SysWOW64\Fmhgok32.dll Empoiimf.exe File created C:\Windows\SysWOW64\Mbbagk32.exe Ljkifn32.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Dpkmal32.exe Dahmfpap.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Akcjcnpe.dll Ebifmm32.exe File created C:\Windows\SysWOW64\Falcae32.exe Fkbkdkpp.exe File created C:\Windows\SysWOW64\Mjknojbk.dll Qkipkani.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Ebgpad32.exe File created C:\Windows\SysWOW64\Daeifj32.exe Process not Found File created C:\Windows\SysWOW64\Ilkibdpe.dll Pefhlaie.exe File created C:\Windows\SysWOW64\Ibfnqmpf.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Fdnhih32.exe Fbplml32.exe File opened for modification C:\Windows\SysWOW64\Qqhcpo32.exe Qhakoa32.exe File created C:\Windows\SysWOW64\Aalebkhm.dll Ljgpkonp.exe File created C:\Windows\SysWOW64\Dkahilkl.exe Dhclmp32.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Amlogfel.exe File created C:\Windows\SysWOW64\Gelfeh32.dll Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Phodcg32.exe File created C:\Windows\SysWOW64\Pccahbmn.exe Pmiikh32.exe File created C:\Windows\SysWOW64\Nahffe32.dll Jgcamf32.exe File created C:\Windows\SysWOW64\Jecffa32.dll Meamcg32.exe File created C:\Windows\SysWOW64\Olealnbk.dll Dihlbf32.exe File opened for modification C:\Windows\SysWOW64\Ohhnbhok.exe Oejbfmpg.exe File created C:\Windows\SysWOW64\Hankellh.dll Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Dfnbgc32.exe Dngjff32.exe File created C:\Windows\SysWOW64\Joekag32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gpfjma32.exe Gilapgqb.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File created C:\Windows\SysWOW64\Cdpjlb32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Hlbpmd32.dll Jhndljll.exe File opened for modification C:\Windows\SysWOW64\Kgflcifg.exe Kpmdfonj.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Enfckp32.exe File created C:\Windows\SysWOW64\Ebifmm32.exe Eojiqb32.exe File created C:\Windows\SysWOW64\Jaonbc32.exe Process not Found File created C:\Windows\SysWOW64\Cboeai32.dll Dngjff32.exe File created C:\Windows\SysWOW64\Jbepme32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pofjpl32.exe Plhnda32.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File opened for modification C:\Windows\SysWOW64\Ckebcg32.exe Cdkifmjq.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjjlkk32.exe Cbbdjm32.exe File created C:\Windows\SysWOW64\Dannpknl.dll Nnfpinmi.exe File created C:\Windows\SysWOW64\Hkbdki32.exe Hdilnojp.exe File created C:\Windows\SysWOW64\Lcckiibj.dll Process not Found File created C:\Windows\SysWOW64\Legokici.dll Nhkikq32.exe File created C:\Windows\SysWOW64\Moipoh32.exe Mqfpckhm.exe File opened for modification C:\Windows\SysWOW64\Bggnof32.exe Bqmeal32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9984 8940 Process not Found 1321 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoaojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhpfbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmomlnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dikpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoknihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocamjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaihooo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkabjbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimenegi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchidda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giecfejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgoaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diccgfpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbbhkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikglnkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapceeje.dll" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmomlnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kilpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdhn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neccpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjgeedch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnhkbfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaiimadl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fmkgkapm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aompak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll" Phcgcqab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll" Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qqffjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlmbfqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpggodfg.dll" Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icfekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeifdjo.dll" Fajbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleggmck.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oenlqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enpfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbhd32.dll" Ehfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjeehbgh.dll" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpnihiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajbmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embccf32.dll" Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefmflff.dll" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeaanjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohqbhdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmidl32.dll" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmmic32.dll" Olgemcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eephln32.dll" Jjgchm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll" Haodle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbdhiojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkekjdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 912 4860 fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe 83 PID 4860 wrote to memory of 912 4860 fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe 83 PID 4860 wrote to memory of 912 4860 fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe 83 PID 912 wrote to memory of 4788 912 Nhlpfgbb.exe 84 PID 912 wrote to memory of 4788 912 Nhlpfgbb.exe 84 PID 912 wrote to memory of 4788 912 Nhlpfgbb.exe 84 PID 4788 wrote to memory of 2604 4788 Npchgdcd.exe 85 PID 4788 wrote to memory of 2604 4788 Npchgdcd.exe 85 PID 4788 wrote to memory of 2604 4788 Npchgdcd.exe 85 PID 2604 wrote to memory of 3672 2604 Noehba32.exe 86 PID 2604 wrote to memory of 3672 2604 Noehba32.exe 86 PID 2604 wrote to memory of 3672 2604 Noehba32.exe 86 PID 3672 wrote to memory of 4208 3672 Nohehq32.exe 87 PID 3672 wrote to memory of 4208 3672 Nohehq32.exe 87 PID 3672 wrote to memory of 4208 3672 Nohehq32.exe 87 PID 4208 wrote to memory of 952 4208 Ngomin32.exe 88 PID 4208 wrote to memory of 952 4208 Ngomin32.exe 88 PID 4208 wrote to memory of 952 4208 Ngomin32.exe 88 PID 952 wrote to memory of 3728 952 Nebmekoi.exe 89 PID 952 wrote to memory of 3728 952 Nebmekoi.exe 89 PID 952 wrote to memory of 3728 952 Nebmekoi.exe 89 PID 3728 wrote to memory of 4008 3728 Nedjjj32.exe 90 PID 3728 wrote to memory of 4008 3728 Nedjjj32.exe 90 PID 3728 wrote to memory of 4008 3728 Nedjjj32.exe 90 PID 4008 wrote to memory of 100 4008 Nhbfff32.exe 92 PID 4008 wrote to memory of 100 4008 Nhbfff32.exe 92 PID 4008 wrote to memory of 100 4008 Nhbfff32.exe 92 PID 100 wrote to memory of 3932 100 Nchjdo32.exe 93 PID 100 wrote to memory of 3932 100 Nchjdo32.exe 93 PID 100 wrote to memory of 3932 100 Nchjdo32.exe 93 PID 3932 wrote to memory of 5104 3932 Nheble32.exe 94 PID 3932 wrote to memory of 5104 3932 Nheble32.exe 94 PID 3932 wrote to memory of 5104 3932 Nheble32.exe 94 PID 5104 wrote to memory of 2772 5104 Ncjginjn.exe 96 PID 5104 wrote to memory of 2772 5104 Ncjginjn.exe 96 PID 5104 wrote to memory of 2772 5104 Ncjginjn.exe 96 PID 2772 wrote to memory of 2720 2772 Ogfcjm32.exe 97 PID 2772 wrote to memory of 2720 2772 Ogfcjm32.exe 97 PID 2772 wrote to memory of 2720 2772 Ogfcjm32.exe 97 PID 2720 wrote to memory of 1160 2720 Oeicejia.exe 99 PID 2720 wrote to memory of 1160 2720 Oeicejia.exe 99 PID 2720 wrote to memory of 1160 2720 Oeicejia.exe 99 PID 1160 wrote to memory of 2408 1160 Ocmconhk.exe 100 PID 1160 wrote to memory of 2408 1160 Ocmconhk.exe 100 PID 1160 wrote to memory of 2408 1160 Ocmconhk.exe 100 PID 2408 wrote to memory of 3748 2408 Oigllh32.exe 101 PID 2408 wrote to memory of 3748 2408 Oigllh32.exe 101 PID 2408 wrote to memory of 3748 2408 Oigllh32.exe 101 PID 3748 wrote to memory of 880 3748 Ocopdn32.exe 102 PID 3748 wrote to memory of 880 3748 Ocopdn32.exe 102 PID 3748 wrote to memory of 880 3748 Ocopdn32.exe 102 PID 880 wrote to memory of 4784 880 Oenlqi32.exe 103 PID 880 wrote to memory of 4784 880 Oenlqi32.exe 103 PID 880 wrote to memory of 4784 880 Oenlqi32.exe 103 PID 4784 wrote to memory of 2292 4784 Olgemcli.exe 104 PID 4784 wrote to memory of 2292 4784 Olgemcli.exe 104 PID 4784 wrote to memory of 2292 4784 Olgemcli.exe 104 PID 2292 wrote to memory of 1776 2292 Oofaiokl.exe 105 PID 2292 wrote to memory of 1776 2292 Oofaiokl.exe 105 PID 2292 wrote to memory of 1776 2292 Oofaiokl.exe 105 PID 1776 wrote to memory of 2556 1776 Ocamjm32.exe 106 PID 1776 wrote to memory of 2556 1776 Ocamjm32.exe 106 PID 1776 wrote to memory of 2556 1776 Ocamjm32.exe 106 PID 2556 wrote to memory of 4028 2556 Oepifi32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe"C:\Users\Admin\AppData\Local\Temp\fc4c15de980bd545b25ff6a001a2f6744aa3dc347eeb7cec0fd8f538fe8d56d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ocopdn32.exeC:\Windows\system32\Ocopdn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe23⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe25⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe26⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe28⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe29⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe30⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe31⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe32⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe33⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe34⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe35⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe36⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe40⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe41⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe42⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe43⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe45⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe46⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3412 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe48⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe49⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe50⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe51⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe52⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe54⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe55⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe56⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe57⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe58⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe59⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe60⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe61⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe62⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe65⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe66⤵PID:4140
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe67⤵PID:3772
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe68⤵PID:1688
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe69⤵PID:4004
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe70⤵PID:3244
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe72⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe74⤵PID:4992
-
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe75⤵PID:3464
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe76⤵PID:1648
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4960 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe78⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe79⤵PID:872
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe80⤵
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4964 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe82⤵PID:1900
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe83⤵PID:5080
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe84⤵PID:1936
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe85⤵PID:4176
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe86⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe87⤵PID:2624
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe89⤵
- Drops file in System32 directory
PID:3684 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe90⤵PID:5076
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe91⤵PID:3796
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe92⤵PID:4124
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe93⤵PID:4656
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe94⤵PID:2764
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe95⤵PID:3120
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe96⤵PID:4672
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe97⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe98⤵PID:1524
-
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe99⤵
- Drops file in System32 directory
PID:4252 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe100⤵PID:1364
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe101⤵PID:3208
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe102⤵PID:5152
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe103⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5256 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe105⤵PID:5300
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe106⤵PID:5364
-
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe107⤵PID:5428
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe108⤵PID:5472
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe109⤵PID:5556
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe110⤵PID:5620
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe111⤵PID:5668
-
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe112⤵PID:5720
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe113⤵PID:5764
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5804 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe116⤵PID:5900
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe117⤵PID:5960
-
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe118⤵PID:6004
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6048 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe120⤵PID:6092
-
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe121⤵
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe122⤵
- Modifies registry class
PID:5188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-