Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe
Resource
win10v2004-20241007-en
General
-
Target
4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe
-
Size
401KB
-
MD5
386faa4ad6794db2a87698775a4a576d
-
SHA1
01fd0882a06de133ccf28fc7a466c1fa2301f365
-
SHA256
4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92
-
SHA512
da6464ec22794e7c606fbec98275fe7cd3aae1684cd15e98c0e5a3baaab29eaaa1fcba5bb8b7df46cac7921695706a8bcb14a9ad95089bf60ef2dc6d1d4752f1
-
SSDEEP
6144:5E5BzVD9EehLgndpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836PGyAN:5uD9EMsndpV6yYP4rbpV6yYPg058Kri
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojnaehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oojacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqamef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lljlojee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecigkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbjekoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jfihplma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpidm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpipbpcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbpocfej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighnkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqdagk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdokjngb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkicgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daobmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkgfcmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aocffm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfjefgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmpoop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llhpjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmgog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhlcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdglca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbadla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llkcjpiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpkfpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdodal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afkihnoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdleo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbigna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejpplhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikamfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnaocbkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdiio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgiaco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Negcjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgokel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phgogl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdipacgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makghjlk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npghamcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajianleg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blboaicf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnknnfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpifphe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiepcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Indcndoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pobfeilm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malnbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioibnjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becnippo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbadla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnapno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bllpkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfnbmem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhacobj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3028 Fehmkchi.exe 3716 Fkdfcjfq.exe 1676 Fdmjlp32.exe 4080 Fkgbijdn.exe 1304 Ggncnkjb.exe 1492 Geoclb32.exe 3448 Ggppcjgp.exe 3104 Geapabpo.exe 5004 Gnleedmj.exe 3972 Ghbicmmp.exe 1776 Golapg32.exe 4028 Gajnlb32.exe 3876 Hkeojh32.exe 4388 Hglpoi32.exe 4044 Hbadla32.exe 220 Hbcqba32.exe 5012 Hhmiokbb.exe 1500 Hhpedk32.exe 4128 Hojnaehl.exe 1072 Idffilfd.exe 2496 Ikqnffnq.exe 5008 Inokbamd.exe 1692 Idicol32.exe 3748 Iggokg32.exe 2768 Inaggaka.exe 448 Ibmchp32.exe 3700 Idkpdk32.exe 1464 Ikehaejk.exe 1488 Incdma32.exe 3480 Ifklnn32.exe 4732 Iiihjj32.exe 2536 Ikgdfe32.exe 3360 Infabq32.exe 4416 Iepiokni.exe 2640 Ignekfmm.exe 3688 Ioemmcno.exe 4616 Jbdiio32.exe 3364 Jebfej32.exe 1188 Jgqbaf32.exe 1496 Jnkjnpbg.exe 3488 Jfbbomci.exe 4844 Jipnkibm.exe 2412 Jojghc32.exe 2996 Jbhcdnim.exe 2136 Jegopjha.exe 3164 Jkagmd32.exe 1896 Jnocio32.exe 1160 Jffljm32.exe 3108 Jiehfh32.exe 1868 Jkcdbc32.exe 1184 Jnapno32.exe 2456 Jfihplma.exe 1768 Jgjegd32.exe 4412 Jpamhb32.exe 4132 Kbpidm32.exe 1840 Keneqi32.exe 3092 Kglamd32.exe 4356 Kpcina32.exe 692 Kfnaklil.exe 4576 Kilngg32.exe 3736 Kljjcb32.exe 612 Knifon32.exe 3280 Kfpnpk32.exe 544 Kinklg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oaejpmij.exe Oogncajf.exe File opened for modification C:\Windows\SysWOW64\Inpjbecj.exe Ikamfi32.exe File opened for modification C:\Windows\SysWOW64\Omkdjg32.exe Ohokbp32.exe File opened for modification C:\Windows\SysWOW64\Bfeknmgf.exe Bcfobahc.exe File created C:\Windows\SysWOW64\Lejmhklg.dll Ogcfjd32.exe File created C:\Windows\SysWOW64\Idhlde32.exe Inndgk32.exe File opened for modification C:\Windows\SysWOW64\Npiegl32.exe Nhbmeo32.exe File opened for modification C:\Windows\SysWOW64\Ikqnffnq.exe Idffilfd.exe File created C:\Windows\SysWOW64\Fenqjpkb.dll Jegopjha.exe File created C:\Windows\SysWOW64\Fpnkkk32.exe Fmpoop32.exe File created C:\Windows\SysWOW64\Cialgd32.dll Jdaojdhk.exe File created C:\Windows\SysWOW64\Lgbogbja.dll Hcofin32.exe File opened for modification C:\Windows\SysWOW64\Bhompl32.exe Baeecaii.exe File created C:\Windows\SysWOW64\Fkgbijdn.exe Fdmjlp32.exe File created C:\Windows\SysWOW64\Mggipdnk.dll Ejfcgf32.exe File created C:\Windows\SysWOW64\Nijldmja.exe Nabdcoio.exe File opened for modification C:\Windows\SysWOW64\Ppcqdikg.exe Pgjlkc32.exe File created C:\Windows\SysWOW64\Jgdngi32.exe Jdfakm32.exe File opened for modification C:\Windows\SysWOW64\Fghche32.exe Fpnkkk32.exe File created C:\Windows\SysWOW64\Hoehhmco.dll Njmeadnm.exe File created C:\Windows\SysWOW64\Bmflonmn.dll Cbfedeoa.exe File created C:\Windows\SysWOW64\Ighnkj32.exe Ipnfopbn.exe File created C:\Windows\SysWOW64\Bbggkk32.dll Ohokbp32.exe File created C:\Windows\SysWOW64\Oeamka32.exe Oogdngna.exe File opened for modification C:\Windows\SysWOW64\Moniak32.exe Mlomep32.exe File created C:\Windows\SysWOW64\Akdhce32.dll Mejnce32.exe File created C:\Windows\SysWOW64\Hjdleo32.exe Ghconfga.exe File created C:\Windows\SysWOW64\Noqiik32.dll Hjlafn32.exe File created C:\Windows\SysWOW64\Hdgkdpnh.dll Mjfoae32.exe File created C:\Windows\SysWOW64\Neniig32.exe Nncammgp.exe File created C:\Windows\SysWOW64\Hlpenc32.dll Lnbiem32.exe File opened for modification C:\Windows\SysWOW64\Epdakf32.exe Emfeok32.exe File created C:\Windows\SysWOW64\Fiaook32.exe Ffccbp32.exe File created C:\Windows\SysWOW64\Idloeo32.exe Ipqbdpqk.exe File created C:\Windows\SysWOW64\Gmgjbjad.dll Lbkhpl32.exe File created C:\Windows\SysWOW64\Addgpn32.dll Kpcina32.exe File created C:\Windows\SysWOW64\Ifpfahme.dll Oaejpmij.exe File created C:\Windows\SysWOW64\Fpijfeci.exe Fiobik32.exe File created C:\Windows\SysWOW64\Iggokg32.exe Idicol32.exe File opened for modification C:\Windows\SysWOW64\Opinnjcb.exe Olnbmk32.exe File opened for modification C:\Windows\SysWOW64\Cifmfeee.exe Cmomad32.exe File created C:\Windows\SysWOW64\Ohoblf32.exe Oaejpmij.exe File opened for modification C:\Windows\SysWOW64\Ikamfi32.exe Icjeel32.exe File opened for modification C:\Windows\SysWOW64\Lhadoa32.exe Lioccdhj.exe File opened for modification C:\Windows\SysWOW64\Lfnkaiki.exe Llhfdq32.exe File created C:\Windows\SysWOW64\Almakdin.dll Phdbblpm.exe File created C:\Windows\SysWOW64\Aiinln32.dll Qojjjenl.exe File created C:\Windows\SysWOW64\Ikopge32.dll Acaolk32.exe File created C:\Windows\SysWOW64\Igllaohh.dll Djdcfb32.exe File opened for modification C:\Windows\SysWOW64\Oagpkfck.exe Omkdjg32.exe File opened for modification C:\Windows\SysWOW64\Kpkpoq32.exe Knkcdn32.exe File opened for modification C:\Windows\SysWOW64\Ajbkmm32.exe Qhbocj32.exe File created C:\Windows\SysWOW64\Bbkmlbab.dll Acglfm32.exe File created C:\Windows\SysWOW64\Mcdnalmq.dll Hmpqlgam.exe File created C:\Windows\SysWOW64\Mlgpkomm.dll Mekmdhpo.exe File opened for modification C:\Windows\SysWOW64\Akbjpi32.exe Adhacobj.exe File created C:\Windows\SysWOW64\Cnehna32.exe Cldlfiad.exe File created C:\Windows\SysWOW64\Lhlipf32.dll Oojacg32.exe File created C:\Windows\SysWOW64\Pgjlkc32.exe Ppqdni32.exe File created C:\Windows\SysWOW64\Ljhcpgpe.exe Lekkgqbm.exe File created C:\Windows\SysWOW64\Gmfnehjg.exe Gflein32.exe File opened for modification C:\Windows\SysWOW64\Jjnqhecf.exe Jcdhkk32.exe File opened for modification C:\Windows\SysWOW64\Aajegccf.exe Akpmji32.exe File opened for modification C:\Windows\SysWOW64\Ogcfjd32.exe Ochjjebe.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 14288 14212 WerFault.exe 715 13332 14212 WerFault.exe 715 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeamka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcdbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opinnjcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ignekfmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpijfeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondjck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjghknkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmockf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpbhpph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaidi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbqmbqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhcllkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjcgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoqaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbadla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjikqkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpbgdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemeli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpkkfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqohllfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpodbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlflkhkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boabgkef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldogm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkadplbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggafndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necjomnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelmeleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfinoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efefaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaied32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djomgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbejlado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phahgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikehaejk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkedpgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahddnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcfjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkagmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkcdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggagoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldhlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpikbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmcceolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpfo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgpic32.dll" Jnocio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejfcgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgpbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgohmli.dll" Nleeqbhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohokbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbefog32.dll" Ecfjefgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneafcnc.dll" Kcmkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikgdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdflagk.dll" Ajlnclce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdaojdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qccbkmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpaibaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnhdojn.dll" Jgpkfpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljjikqkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cmnfgnle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heddhpcc.dll" Mkqleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hngqfb32.dll" Pdoompkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lflnlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dihjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lanbablg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njmeadnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oollcjcp.dll" Ljglea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Panfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapmkkpp.dll" Geoclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oijekjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qodbkged.dll" Ecigkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Indcndoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Necjomnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaikckma.dll" Nhbmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipnfopbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohpigm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhjeoeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfgbf32.dll" Cmjllopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nljnla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kifnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mebqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfpmfbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacbcoif.dll" Iqaiofdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcfce32.dll" Lqdagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpihohkd.dll" 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcpmjpbi.dll" Nbedmhbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmcmffjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbagcc32.dll" Fdgjfjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nligcfph.dll" Bbflmhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkadplbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgglmikj.dll" Bcfobahc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfejpa32.dll" Efopbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfinoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgdlh32.dll" Ombadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceadli32.dll" Ikgdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchfgh32.dll" Bfghcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfbdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdoompkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cecpeb32.dll" Bqmlae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcldof32.dll" Gkkeic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bolbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklhcc32.dll" Phjkno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdeqam32.dll" Jkndmnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knjljg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlabpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfphpgl.dll" Jgdngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdipacgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcachcc.dll" Hkfnkk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1484 wrote to memory of 3028 1484 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe 83 PID 1484 wrote to memory of 3028 1484 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe 83 PID 1484 wrote to memory of 3028 1484 4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe 83 PID 3028 wrote to memory of 3716 3028 Fehmkchi.exe 84 PID 3028 wrote to memory of 3716 3028 Fehmkchi.exe 84 PID 3028 wrote to memory of 3716 3028 Fehmkchi.exe 84 PID 3716 wrote to memory of 1676 3716 Fkdfcjfq.exe 85 PID 3716 wrote to memory of 1676 3716 Fkdfcjfq.exe 85 PID 3716 wrote to memory of 1676 3716 Fkdfcjfq.exe 85 PID 1676 wrote to memory of 4080 1676 Fdmjlp32.exe 86 PID 1676 wrote to memory of 4080 1676 Fdmjlp32.exe 86 PID 1676 wrote to memory of 4080 1676 Fdmjlp32.exe 86 PID 4080 wrote to memory of 1304 4080 Fkgbijdn.exe 87 PID 4080 wrote to memory of 1304 4080 Fkgbijdn.exe 87 PID 4080 wrote to memory of 1304 4080 Fkgbijdn.exe 87 PID 1304 wrote to memory of 1492 1304 Ggncnkjb.exe 89 PID 1304 wrote to memory of 1492 1304 Ggncnkjb.exe 89 PID 1304 wrote to memory of 1492 1304 Ggncnkjb.exe 89 PID 1492 wrote to memory of 3448 1492 Geoclb32.exe 90 PID 1492 wrote to memory of 3448 1492 Geoclb32.exe 90 PID 1492 wrote to memory of 3448 1492 Geoclb32.exe 90 PID 3448 wrote to memory of 3104 3448 Ggppcjgp.exe 91 PID 3448 wrote to memory of 3104 3448 Ggppcjgp.exe 91 PID 3448 wrote to memory of 3104 3448 Ggppcjgp.exe 91 PID 3104 wrote to memory of 5004 3104 Geapabpo.exe 93 PID 3104 wrote to memory of 5004 3104 Geapabpo.exe 93 PID 3104 wrote to memory of 5004 3104 Geapabpo.exe 93 PID 5004 wrote to memory of 3972 5004 Gnleedmj.exe 94 PID 5004 wrote to memory of 3972 5004 Gnleedmj.exe 94 PID 5004 wrote to memory of 3972 5004 Gnleedmj.exe 94 PID 3972 wrote to memory of 1776 3972 Ghbicmmp.exe 95 PID 3972 wrote to memory of 1776 3972 Ghbicmmp.exe 95 PID 3972 wrote to memory of 1776 3972 Ghbicmmp.exe 95 PID 1776 wrote to memory of 4028 1776 Golapg32.exe 96 PID 1776 wrote to memory of 4028 1776 Golapg32.exe 96 PID 1776 wrote to memory of 4028 1776 Golapg32.exe 96 PID 4028 wrote to memory of 3876 4028 Gajnlb32.exe 98 PID 4028 wrote to memory of 3876 4028 Gajnlb32.exe 98 PID 4028 wrote to memory of 3876 4028 Gajnlb32.exe 98 PID 3876 wrote to memory of 4388 3876 Hkeojh32.exe 99 PID 3876 wrote to memory of 4388 3876 Hkeojh32.exe 99 PID 3876 wrote to memory of 4388 3876 Hkeojh32.exe 99 PID 4388 wrote to memory of 4044 4388 Hglpoi32.exe 100 PID 4388 wrote to memory of 4044 4388 Hglpoi32.exe 100 PID 4388 wrote to memory of 4044 4388 Hglpoi32.exe 100 PID 4044 wrote to memory of 220 4044 Hbadla32.exe 101 PID 4044 wrote to memory of 220 4044 Hbadla32.exe 101 PID 4044 wrote to memory of 220 4044 Hbadla32.exe 101 PID 220 wrote to memory of 5012 220 Hbcqba32.exe 102 PID 220 wrote to memory of 5012 220 Hbcqba32.exe 102 PID 220 wrote to memory of 5012 220 Hbcqba32.exe 102 PID 5012 wrote to memory of 1500 5012 Hhmiokbb.exe 103 PID 5012 wrote to memory of 1500 5012 Hhmiokbb.exe 103 PID 5012 wrote to memory of 1500 5012 Hhmiokbb.exe 103 PID 1500 wrote to memory of 4128 1500 Hhpedk32.exe 104 PID 1500 wrote to memory of 4128 1500 Hhpedk32.exe 104 PID 1500 wrote to memory of 4128 1500 Hhpedk32.exe 104 PID 4128 wrote to memory of 1072 4128 Hojnaehl.exe 105 PID 4128 wrote to memory of 1072 4128 Hojnaehl.exe 105 PID 4128 wrote to memory of 1072 4128 Hojnaehl.exe 105 PID 1072 wrote to memory of 2496 1072 Idffilfd.exe 106 PID 1072 wrote to memory of 2496 1072 Idffilfd.exe 106 PID 1072 wrote to memory of 2496 1072 Idffilfd.exe 106 PID 2496 wrote to memory of 5008 2496 Ikqnffnq.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe"C:\Users\Admin\AppData\Local\Temp\4acbefd39dd38784909d04819192f863bc448242be341ed4be3e4f2788754d92.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Fkdfcjfq.exeC:\Windows\system32\Fkdfcjfq.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Hglpoi32.exeC:\Windows\system32\Hglpoi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Hbadla32.exeC:\Windows\system32\Hbadla32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Idffilfd.exeC:\Windows\system32\Idffilfd.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe23⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Idicol32.exeC:\Windows\system32\Idicol32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe25⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe26⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe27⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Idkpdk32.exeC:\Windows\system32\Idkpdk32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Ikehaejk.exeC:\Windows\system32\Ikehaejk.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe30⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe31⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe32⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ikgdfe32.exeC:\Windows\system32\Ikgdfe32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe34⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe35⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Ioemmcno.exeC:\Windows\system32\Ioemmcno.exe37⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe39⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Jgqbaf32.exeC:\Windows\system32\Jgqbaf32.exe40⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe41⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Jfbbomci.exeC:\Windows\system32\Jfbbomci.exe42⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe43⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Jojghc32.exeC:\Windows\system32\Jojghc32.exe44⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe45⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jegopjha.exeC:\Windows\system32\Jegopjha.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Jkagmd32.exeC:\Windows\system32\Jkagmd32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Jffljm32.exeC:\Windows\system32\Jffljm32.exe49⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Jiehfh32.exeC:\Windows\system32\Jiehfh32.exe50⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Jkcdbc32.exeC:\Windows\system32\Jkcdbc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe54⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe55⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\Keneqi32.exeC:\Windows\system32\Keneqi32.exe57⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Kglamd32.exeC:\Windows\system32\Kglamd32.exe58⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe60⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe61⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe62⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe63⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe64⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Kinklg32.exeC:\Windows\system32\Kinklg32.exe65⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5108 -
C:\Windows\SysWOW64\Kpkpoq32.exeC:\Windows\system32\Kpkpoq32.exe67⤵PID:2148
-
C:\Windows\SysWOW64\Kbilkl32.exeC:\Windows\system32\Kbilkl32.exe68⤵PID:3976
-
C:\Windows\SysWOW64\Khfdcc32.exeC:\Windows\system32\Khfdcc32.exe69⤵PID:4360
-
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5020 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe71⤵PID:792
-
C:\Windows\SysWOW64\Lnbiem32.exeC:\Windows\system32\Lnbiem32.exe72⤵
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Lfiafj32.exeC:\Windows\system32\Lfiafj32.exe73⤵PID:3460
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe74⤵PID:2712
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe75⤵
- Modifies registry class
PID:4568 -
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe76⤵
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Lfnkaiki.exeC:\Windows\system32\Lfnkaiki.exe77⤵PID:2792
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe78⤵PID:2000
-
C:\Windows\SysWOW64\Llkcjpiq.exeC:\Windows\system32\Llkcjpiq.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3560 -
C:\Windows\SysWOW64\Loioflhd.exeC:\Windows\system32\Loioflhd.exe80⤵PID:1664
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe81⤵
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe82⤵PID:3116
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe83⤵PID:2424
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe84⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe85⤵PID:4728
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe86⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Moniak32.exeC:\Windows\system32\Moniak32.exe87⤵PID:3248
-
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe88⤵PID:748
-
C:\Windows\SysWOW64\Mlaijo32.exeC:\Windows\system32\Mlaijo32.exe89⤵PID:2740
-
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe90⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Mhhjop32.exeC:\Windows\system32\Mhhjop32.exe91⤵PID:2600
-
C:\Windows\SysWOW64\Mbnnmi32.exeC:\Windows\system32\Mbnnmi32.exe92⤵PID:1940
-
C:\Windows\SysWOW64\Moeoajng.exeC:\Windows\system32\Moeoajng.exe93⤵PID:636
-
C:\Windows\SysWOW64\Mflgcg32.exeC:\Windows\system32\Mflgcg32.exe94⤵PID:3112
-
C:\Windows\SysWOW64\Mhmcjpdg.exeC:\Windows\system32\Mhmcjpdg.exe95⤵PID:2192
-
C:\Windows\SysWOW64\Npdklmej.exeC:\Windows\system32\Npdklmej.exe96⤵PID:5084
-
C:\Windows\SysWOW64\Nbchhhdm.exeC:\Windows\system32\Nbchhhdm.exe97⤵PID:3944
-
C:\Windows\SysWOW64\Neadddca.exeC:\Windows\system32\Neadddca.exe98⤵PID:2004
-
C:\Windows\SysWOW64\Npghamcg.exeC:\Windows\system32\Npghamcg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4696 -
C:\Windows\SysWOW64\Nbedmhbk.exeC:\Windows\system32\Nbedmhbk.exe100⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Necqicao.exeC:\Windows\system32\Necqicao.exe101⤵PID:2216
-
C:\Windows\SysWOW64\Nhbmeo32.exeC:\Windows\system32\Nhbmeo32.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Npiegl32.exeC:\Windows\system32\Npiegl32.exe103⤵PID:5172
-
C:\Windows\SysWOW64\Nbgach32.exeC:\Windows\system32\Nbgach32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Niaipbhe.exeC:\Windows\system32\Niaipbhe.exe105⤵PID:5260
-
C:\Windows\SysWOW64\Nlpelmgi.exeC:\Windows\system32\Nlpelmgi.exe106⤵PID:5304
-
C:\Windows\SysWOW64\Nonbhifl.exeC:\Windows\system32\Nonbhifl.exe107⤵PID:5348
-
C:\Windows\SysWOW64\Ngejiffo.exeC:\Windows\system32\Ngejiffo.exe108⤵PID:5392
-
C:\Windows\SysWOW64\Nhffqnlm.exeC:\Windows\system32\Nhffqnlm.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Npnnblmo.exeC:\Windows\system32\Npnnblmo.exe110⤵PID:5484
-
C:\Windows\SysWOW64\Nghfof32.exeC:\Windows\system32\Nghfof32.exe111⤵PID:5532
-
C:\Windows\SysWOW64\Nifbka32.exeC:\Windows\system32\Nifbka32.exe112⤵PID:5576
-
C:\Windows\SysWOW64\Oldogm32.exeC:\Windows\system32\Oldogm32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5620 -
C:\Windows\SysWOW64\Oockch32.exeC:\Windows\system32\Oockch32.exe114⤵PID:5664
-
C:\Windows\SysWOW64\Ogjcde32.exeC:\Windows\system32\Ogjcde32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Oihopa32.exeC:\Windows\system32\Oihopa32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Olglllqq.exeC:\Windows\system32\Olglllqq.exe117⤵PID:5796
-
C:\Windows\SysWOW64\Ooehhhpd.exeC:\Windows\system32\Ooehhhpd.exe118⤵PID:5840
-
C:\Windows\SysWOW64\Oglpjeqf.exeC:\Windows\system32\Oglpjeqf.exe119⤵PID:5884
-
C:\Windows\SysWOW64\Oiklfqpj.exeC:\Windows\system32\Oiklfqpj.exe120⤵PID:5944
-
C:\Windows\SysWOW64\Opedbk32.exeC:\Windows\system32\Opedbk32.exe121⤵PID:6004
-
C:\Windows\SysWOW64\Oogdngna.exeC:\Windows\system32\Oogdngna.exe122⤵
- Drops file in System32 directory
PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-