Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe
Resource
win10v2004-20241007-en
General
-
Target
f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe
-
Size
1.3MB
-
MD5
a9e0fc10cc4718c9bc1d7fcec6ab0743
-
SHA1
ad9bb54be6676e5d5fbb7df45518cf5dc7a84061
-
SHA256
b316cbf05f77e1872d3ef282aa065aa57c4af923d57efe2ba3f5812188022aee
-
SHA512
643e9a2f052d193ef6498a6a469900f61f63d66c2f8f14e10f4df96dc64a0baf55e1559872f6df3f876f4f89da472ed552896f6e2217799145d7957390e57e4e
-
SSDEEP
12288:cquV6dduAbaz22cWfVaw0HBHY8r8ABjMnI:vJdusaK2cWfVaw0HB48r8ABYI
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjahlgpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Filiii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggocmhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhclmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokdnjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdicienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhihdcbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlkgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglnbhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikkfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnaokmco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghaliknf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjgchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phodcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpomccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmkadgpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmconhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppolhcnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjeanmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqgidij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplafeil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plagcbdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjkblhfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkhpdcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfghg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohlimd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqoiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbped32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 836 Gkmlofol.exe 1084 Ghaliknf.exe 1060 Gkoiefmj.exe 3976 Helfik32.exe 4736 Hmcojh32.exe 2924 Hcpclbfa.exe 3860 Hkkhqd32.exe 3668 Hfqlnm32.exe 2224 Hbgmcnhf.exe 3484 Ikpaldog.exe 2832 Ikbnacmd.exe 5000 Ippggbck.exe 3332 Imdgqfbd.exe 872 Ibcmom32.exe 884 Jfaedkdp.exe 636 Jpijnqkp.exe 2796 Jbhfjljd.exe 4620 Jmpgldhg.exe 2564 Kmijbcpl.exe 4768 Kdcbom32.exe 3880 Kedoge32.exe 3636 Klqcioba.exe 4240 Leihbeib.exe 2800 Llcpoo32.exe 764 Liimncmf.exe 1400 Likjcbkc.exe 4708 Lllcen32.exe 4828 Mmlpoqpg.exe 2024 Mmnldp32.exe 2768 Mgimcebb.exe 1816 Mgkjhe32.exe 3680 Ncbknfed.exe 1468 Npfkgjdn.exe 4484 Njnpppkn.exe 4348 Ncfdie32.exe 1768 Njqmepik.exe 3716 Nloiakho.exe 3944 Nfgmjqop.exe 1180 Ndhmhh32.exe 3080 Nnqbanmo.exe 4160 Ocnjidkf.exe 4140 Olfobjbg.exe 912 Ocpgod32.exe 4672 Ojjolnaq.exe 1896 Ocbddc32.exe 3532 Ofqpqo32.exe 2632 Olkhmi32.exe 3284 Ocdqjceo.exe 4400 Ojoign32.exe 4136 Oqhacgdh.exe 2140 Ofeilobp.exe 1960 Pmoahijl.exe 3600 Pdfjifjo.exe 2132 Pfhfan32.exe 1788 Pmannhhj.exe 2072 Pggbkagp.exe 2960 Pnakhkol.exe 2552 Pqpgdfnp.exe 4308 Pqbdjfln.exe 4468 Pgllfp32.exe 4792 Pjjhbl32.exe 376 Pgnilpah.exe 5076 Pjmehkqk.exe 3008 Qmkadgpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fdglmkeg.exe Flqdlnde.exe File opened for modification C:\Windows\SysWOW64\Higjaoci.exe Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe Pmaffnce.exe File created C:\Windows\SysWOW64\Cikamapb.dll Hfhgkmpj.exe File opened for modification C:\Windows\SysWOW64\Mnjqmpgg.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Papbpdoi.dll Qfcfml32.exe File created C:\Windows\SysWOW64\Ngjejf32.dll Ihnkel32.exe File created C:\Windows\SysWOW64\Mplafeil.exe Mhdjehhj.exe File opened for modification C:\Windows\SysWOW64\Noehba32.exe Mfjcnold.exe File created C:\Windows\SysWOW64\Fngcmcfe.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Hoclopne.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Phfcipoo.exe File created C:\Windows\SysWOW64\Lielhgaa.dll Amqhbe32.exe File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe Beglgani.exe File created C:\Windows\SysWOW64\Jpkphjeb.exe Jgdhgmep.exe File opened for modification C:\Windows\SysWOW64\Fmqgpgoc.exe Fggocmhf.exe File created C:\Windows\SysWOW64\Kbddfmgl.exe Kgopidgf.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Qcaofebg.exe File created C:\Windows\SysWOW64\Alcfei32.exe Aanbhp32.exe File created C:\Windows\SysWOW64\Ncofplba.exe Napjdpcn.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Ilqoobdd.exe File created C:\Windows\SysWOW64\Mfpqjjgd.dll Kimghn32.exe File created C:\Windows\SysWOW64\Idcondbo.dll Emnbdioi.exe File opened for modification C:\Windows\SysWOW64\Ncofplba.exe Napjdpcn.exe File created C:\Windows\SysWOW64\Kofkbk32.exe Klhnfo32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Ckebcg32.exe File created C:\Windows\SysWOW64\Ncmlocln.dll Klqcioba.exe File opened for modification C:\Windows\SysWOW64\Fhmpagkp.exe Emhldnkj.exe File opened for modification C:\Windows\SysWOW64\Jfpojead.exe Jkkjmlan.exe File created C:\Windows\SysWOW64\Bogcgj32.exe Aimkjp32.exe File created C:\Windows\SysWOW64\Mlmlcjoo.dll Indfca32.exe File created C:\Windows\SysWOW64\Gallfmbn.dll Bjfaeh32.exe File opened for modification C:\Windows\SysWOW64\Fdfmlhna.exe Fnmepn32.exe File created C:\Windows\SysWOW64\Qgklej32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Lhjlnlii.dll Pojcjh32.exe File created C:\Windows\SysWOW64\Nnicid32.exe Nlkgmh32.exe File opened for modification C:\Windows\SysWOW64\Oogpjbbb.exe Olicnfco.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Agimkk32.exe Adkqoohc.exe File created C:\Windows\SysWOW64\Okgoadbf.dll Chcddk32.exe File created C:\Windows\SysWOW64\Fpeafcfa.exe Filiii32.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe Cacckp32.exe File created C:\Windows\SysWOW64\Hkjjlhle.exe Hnfjbdmk.exe File created C:\Windows\SysWOW64\Aoabad32.exe Alcfei32.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bbiado32.exe File created C:\Windows\SysWOW64\Fdepgkgj.exe Fmkgkapm.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jlmfeg32.exe File opened for modification C:\Windows\SysWOW64\Bhkmec32.exe Bemqih32.exe File opened for modification C:\Windows\SysWOW64\Eaonjngh.exe Egijmegb.exe File created C:\Windows\SysWOW64\Obncjbkf.dll Ghpocngo.exe File created C:\Windows\SysWOW64\Bdgged32.exe Bahkih32.exe File created C:\Windows\SysWOW64\Bpqhgk32.dll Gmcdffmq.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bmjkic32.exe File opened for modification C:\Windows\SysWOW64\Amfjeobf.exe Aflaie32.exe File opened for modification C:\Windows\SysWOW64\Ccchof32.exe Cmipblaq.exe File opened for modification C:\Windows\SysWOW64\Emehdh32.exe Efkphnbd.exe File created C:\Windows\SysWOW64\Bkdcbd32.exe Bjbfklei.exe File opened for modification C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Cdlqqcnl.exe File created C:\Windows\SysWOW64\Ohepjfbb.dll Ggcfja32.exe File created C:\Windows\SysWOW64\Akejpg32.dll Jgakbm32.exe File created C:\Windows\SysWOW64\Odjeljhd.exe Omqmop32.exe File created C:\Windows\SysWOW64\Iooogokm.dll Kofkbk32.exe File created C:\Windows\SysWOW64\Cogddd32.exe Cgqlcg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7312 8356 WerFault.exe 1084 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmehkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbickp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqoiqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnepe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiccajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njqmepik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcecb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difpmfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpieqeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhlhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhgkmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblkhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjgoaoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcdfbqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eglgbdep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hninbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmndlge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbbkfoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcdffmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhijqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloiakho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeoaapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqida32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnbhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefaomcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnoga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolgijpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll" Liimncmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdbmhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbcmakpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll" Njnpppkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oocddono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caghhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjapmn.dll" Gnhnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Djgjlelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igjeanmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjcngpjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paeelgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Locbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijnin32.dll" Phcomcng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onlche32.dll" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnagpbq.dll" Jpkphjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiobodkp.dll" Aqoiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabbod32.dll" Efkphnbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpabni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjinkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll" Phodcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnpee32.dll" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Lekmnajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggqida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcaofebg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coohhlpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leihbeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhdqnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klhnfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpfjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Megljppl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqhdbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 836 2144 f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe 83 PID 2144 wrote to memory of 836 2144 f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe 83 PID 2144 wrote to memory of 836 2144 f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe 83 PID 836 wrote to memory of 1084 836 Gkmlofol.exe 84 PID 836 wrote to memory of 1084 836 Gkmlofol.exe 84 PID 836 wrote to memory of 1084 836 Gkmlofol.exe 84 PID 1084 wrote to memory of 1060 1084 Ghaliknf.exe 85 PID 1084 wrote to memory of 1060 1084 Ghaliknf.exe 85 PID 1084 wrote to memory of 1060 1084 Ghaliknf.exe 85 PID 1060 wrote to memory of 3976 1060 Gkoiefmj.exe 88 PID 1060 wrote to memory of 3976 1060 Gkoiefmj.exe 88 PID 1060 wrote to memory of 3976 1060 Gkoiefmj.exe 88 PID 3976 wrote to memory of 4736 3976 Helfik32.exe 89 PID 3976 wrote to memory of 4736 3976 Helfik32.exe 89 PID 3976 wrote to memory of 4736 3976 Helfik32.exe 89 PID 4736 wrote to memory of 2924 4736 Hmcojh32.exe 91 PID 4736 wrote to memory of 2924 4736 Hmcojh32.exe 91 PID 4736 wrote to memory of 2924 4736 Hmcojh32.exe 91 PID 2924 wrote to memory of 3860 2924 Hcpclbfa.exe 92 PID 2924 wrote to memory of 3860 2924 Hcpclbfa.exe 92 PID 2924 wrote to memory of 3860 2924 Hcpclbfa.exe 92 PID 3860 wrote to memory of 3668 3860 Hkkhqd32.exe 93 PID 3860 wrote to memory of 3668 3860 Hkkhqd32.exe 93 PID 3860 wrote to memory of 3668 3860 Hkkhqd32.exe 93 PID 3668 wrote to memory of 2224 3668 Hfqlnm32.exe 94 PID 3668 wrote to memory of 2224 3668 Hfqlnm32.exe 94 PID 3668 wrote to memory of 2224 3668 Hfqlnm32.exe 94 PID 2224 wrote to memory of 3484 2224 Hbgmcnhf.exe 95 PID 2224 wrote to memory of 3484 2224 Hbgmcnhf.exe 95 PID 2224 wrote to memory of 3484 2224 Hbgmcnhf.exe 95 PID 3484 wrote to memory of 2832 3484 Ikpaldog.exe 96 PID 3484 wrote to memory of 2832 3484 Ikpaldog.exe 96 PID 3484 wrote to memory of 2832 3484 Ikpaldog.exe 96 PID 2832 wrote to memory of 5000 2832 Ikbnacmd.exe 97 PID 2832 wrote to memory of 5000 2832 Ikbnacmd.exe 97 PID 2832 wrote to memory of 5000 2832 Ikbnacmd.exe 97 PID 5000 wrote to memory of 3332 5000 Ippggbck.exe 98 PID 5000 wrote to memory of 3332 5000 Ippggbck.exe 98 PID 5000 wrote to memory of 3332 5000 Ippggbck.exe 98 PID 3332 wrote to memory of 872 3332 Imdgqfbd.exe 99 PID 3332 wrote to memory of 872 3332 Imdgqfbd.exe 99 PID 3332 wrote to memory of 872 3332 Imdgqfbd.exe 99 PID 872 wrote to memory of 884 872 Ibcmom32.exe 100 PID 872 wrote to memory of 884 872 Ibcmom32.exe 100 PID 872 wrote to memory of 884 872 Ibcmom32.exe 100 PID 884 wrote to memory of 636 884 Jfaedkdp.exe 101 PID 884 wrote to memory of 636 884 Jfaedkdp.exe 101 PID 884 wrote to memory of 636 884 Jfaedkdp.exe 101 PID 636 wrote to memory of 2796 636 Jpijnqkp.exe 102 PID 636 wrote to memory of 2796 636 Jpijnqkp.exe 102 PID 636 wrote to memory of 2796 636 Jpijnqkp.exe 102 PID 2796 wrote to memory of 4620 2796 Jbhfjljd.exe 103 PID 2796 wrote to memory of 4620 2796 Jbhfjljd.exe 103 PID 2796 wrote to memory of 4620 2796 Jbhfjljd.exe 103 PID 4620 wrote to memory of 2564 4620 Jmpgldhg.exe 104 PID 4620 wrote to memory of 2564 4620 Jmpgldhg.exe 104 PID 4620 wrote to memory of 2564 4620 Jmpgldhg.exe 104 PID 2564 wrote to memory of 4768 2564 Kmijbcpl.exe 105 PID 2564 wrote to memory of 4768 2564 Kmijbcpl.exe 105 PID 2564 wrote to memory of 4768 2564 Kmijbcpl.exe 105 PID 4768 wrote to memory of 3880 4768 Kdcbom32.exe 106 PID 4768 wrote to memory of 3880 4768 Kdcbom32.exe 106 PID 4768 wrote to memory of 3880 4768 Kdcbom32.exe 106 PID 3880 wrote to memory of 3636 3880 Kedoge32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe"C:\Users\Admin\AppData\Local\Temp\f41dcdde75ad5f844059f576e8287d61c4591f8fd38f7a9d72c47a17b07220baN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Kedoge32.exeC:\Windows\system32\Kedoge32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3636 -
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe25⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe27⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe28⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe29⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe30⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe31⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe32⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe33⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe34⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe36⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe39⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe40⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe41⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe42⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe43⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe44⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe45⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe46⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ofqpqo32.exeC:\Windows\system32\Ofqpqo32.exe47⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe48⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe49⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Oqhacgdh.exeC:\Windows\system32\Oqhacgdh.exe51⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe52⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe53⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe54⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe55⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe57⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pnakhkol.exeC:\Windows\system32\Pnakhkol.exe58⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pqpgdfnp.exeC:\Windows\system32\Pqpgdfnp.exe59⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe60⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe61⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe62⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe63⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe66⤵
- Drops file in System32 directory
PID:4572 -
C:\Windows\SysWOW64\Qnjnnj32.exeC:\Windows\system32\Qnjnnj32.exe67⤵PID:1080
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe68⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe69⤵PID:2004
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe70⤵PID:916
-
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe71⤵PID:4692
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe72⤵PID:2164
-
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe73⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe74⤵PID:1836
-
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe75⤵PID:1592
-
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe76⤵PID:3920
-
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe77⤵PID:3492
-
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe78⤵PID:3588
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe79⤵PID:3948
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe80⤵PID:2288
-
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe81⤵PID:3932
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe82⤵PID:4380
-
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe83⤵PID:3372
-
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe85⤵PID:5124
-
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe86⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe87⤵PID:5236
-
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe88⤵PID:5296
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe89⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe90⤵PID:5384
-
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe91⤵PID:5428
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe92⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe93⤵PID:5516
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe94⤵
- System Location Discovery: System Language Discovery
PID:5560 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe95⤵PID:5604
-
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe96⤵PID:5648
-
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe97⤵PID:5692
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe98⤵PID:5736
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe99⤵PID:5780
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe100⤵PID:5824
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe101⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5908 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe103⤵PID:5952
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe104⤵PID:5996
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe105⤵PID:6040
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe106⤵PID:6076
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe107⤵
- Modifies registry class
PID:6128 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe108⤵PID:5156
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe109⤵PID:5244
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe110⤵PID:5324
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe111⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe112⤵PID:5456
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe113⤵PID:5504
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe114⤵PID:5588
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe115⤵PID:5676
-
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe116⤵PID:5744
-
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe117⤵PID:5816
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe119⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe120⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe121⤵PID:6072
-
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-