Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 12:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe
-
Size
71KB
-
MD5
cef88437ba1506fce9a149f20358e005
-
SHA1
4805f263461e00f9a33e9212c4d456d3be985ef2
-
SHA256
abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7
-
SHA512
dbf2cf7ed4eebc48d456a25ac6604702848684cddabe3589c19f7e39fed6b81fb4db84c09e9e08688fbff2ca4f4c7adf9822d79ba41f964669a4643645163d8d
-
SSDEEP
1536:V857Dr8qKKgJbro8TXuMQgAWpjGCSbmRT6zRQCpDbEyRCRRRoR4RkG:V8tDr14JbU8TXggAW0Cyieze8Ey032yx
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjcbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnfgnle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcmao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkjnpbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibkqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlnknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcipeolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkahe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlbeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncboeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmcmffjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajkgiepi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnmhbaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plehnjdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpipbpcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihjle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lilgnejm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngijaop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfbeooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhckq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpaqhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbddld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgigbhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eabhjpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmelhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnhkhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpelmgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afpbcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmdfgdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdodal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mahkbjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpcojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhpppobe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqhcfeho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmpldbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epnbdmaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaieca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpminp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieqnij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inejhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhfnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boabgkef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecigkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnkjnpbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lapogbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhmmpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djdcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lieamfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogjcde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihakod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgjgclaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkpegnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhhfmnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcfobahc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mefcihdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejailfbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjjgni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmadji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fifodq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjghknkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lndopf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4424 Faghoece.exe 4108 Fdfdkqbi.exe 4240 Fgdqglbm.exe 1092 Fnnidf32.exe 4616 Fajeeeac.exe 1036 Fhcmao32.exe 4484 Foneni32.exe 1104 Fdjnfp32.exe 2212 Fgijbk32.exe 2960 Fncboeed.exe 4180 Fejjqcff.exe 4008 Fhhfmnej.exe 3416 Fkgbijdn.exe 1496 Ggncnkjb.exe 2164 Goekohjd.exe 4596 Geoclb32.exe 1388 Ggppcjgp.exe 1256 Gnjhpd32.exe 3784 Geapabpo.exe 2148 Ggbmij32.exe 3624 Gnleedmj.exe 1896 Gecmganl.exe 220 Ggdinj32.exe 3696 Golapg32.exe 456 Gffjla32.exe 1996 Gggfdiag.exe 2088 Gkbbdh32.exe 1536 Galjabam.exe 4024 Hdkgmnpa.exe 1696 Hgiciipe.exe 2296 Hboggbok.exe 4848 Hhioclgg.exe 3520 Hkglpgfk.exe 3460 Hnehlceo.exe 2604 Hfmpmpea.exe 400 Hhklilde.exe 2720 Hgnldh32.exe 3264 Hoedff32.exe 3792 Hbcqba32.exe 1956 Hhmiokbb.exe 4340 Hgpijhim.exe 2056 Hogakejo.exe 2112 Hbfmgaic.exe 5032 Hddiclhf.exe 1676 Hhpedk32.exe 4248 Hgbfphgj.exe 2472 Hojnaehl.exe 4260 Ifdfno32.exe 1376 Ikqnffnq.exe 3048 Inokbamd.exe 1460 Iidoojlj.exe 3652 Inaggaka.exe 3972 Ibmchp32.exe 4844 Iiglejjg.exe 2420 Igjlpg32.exe 4740 Ioadadbd.exe 1596 Ibopnpah.exe 3492 Iiihjj32.exe 1264 Iocqgdpb.exe 3960 Infabq32.exe 4984 Ifmidn32.exe 2444 Ignekfmm.exe 1588 Ikjale32.exe 3248 Jbdiio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pifeghba.exe Paomfkao.exe File opened for modification C:\Windows\SysWOW64\Boofbkhi.exe Bmpifphe.exe File created C:\Windows\SysWOW64\Fcbjad32.exe Flkbpg32.exe File created C:\Windows\SysWOW64\Gbnmbpld.exe Fppqfdmq.exe File created C:\Windows\SysWOW64\Ikbjod32.dll Gmkgqh32.exe File opened for modification C:\Windows\SysWOW64\Pjdologp.exe Pfhckq32.exe File opened for modification C:\Windows\SysWOW64\Mnpold32.exe Mlabpi32.exe File created C:\Windows\SysWOW64\Gpealj32.exe Gmgepo32.exe File opened for modification C:\Windows\SysWOW64\Gnlnknin.exe Gkmbob32.exe File created C:\Windows\SysWOW64\Idkije32.exe Iallnj32.exe File opened for modification C:\Windows\SysWOW64\Incmbkec.exe Ikdafofp.exe File created C:\Windows\SysWOW64\Kqeaep32.dll Jhpgqboa.exe File created C:\Windows\SysWOW64\Ahifpg32.dll Aefhbh32.exe File created C:\Windows\SysWOW64\Nfmbfc32.dll Hgpijhim.exe File opened for modification C:\Windows\SysWOW64\Qjpohnmb.exe Qgablbno.exe File created C:\Windows\SysWOW64\Kdefcc32.dll Cbknoe32.exe File created C:\Windows\SysWOW64\Cqjbafle.dll Gfaodnne.exe File created C:\Windows\SysWOW64\Iqahaime.dll Inndgk32.exe File created C:\Windows\SysWOW64\Kikgladd.exe Kqdokcda.exe File opened for modification C:\Windows\SysWOW64\Naeaio32.exe Nofemc32.exe File opened for modification C:\Windows\SysWOW64\Nghfof32.exe Noqomh32.exe File created C:\Windows\SysWOW64\Fgffbelo.exe Fdgjfjmk.exe File opened for modification C:\Windows\SysWOW64\Bllpkq32.exe Bhpdjbda.exe File created C:\Windows\SysWOW64\Fmhjck32.dll Dioibnjo.exe File created C:\Windows\SysWOW64\Nhnbkbkm.exe Nepfog32.exe File created C:\Windows\SysWOW64\Bdgafkog.dll Ngcmcfha.exe File opened for modification C:\Windows\SysWOW64\Alpqobgg.exe Ajadcghd.exe File created C:\Windows\SysWOW64\Oilbajjl.exe Oeafpk32.exe File created C:\Windows\SysWOW64\Gdnimc32.exe Gmdapilj.exe File opened for modification C:\Windows\SysWOW64\Jedbjj32.exe Jbffno32.exe File opened for modification C:\Windows\SysWOW64\Lbddld32.exe Ljmmkg32.exe File opened for modification C:\Windows\SysWOW64\Pkbhcale.exe Phdlgfma.exe File created C:\Windows\SysWOW64\Agdoaall.exe Qchcqc32.exe File opened for modification C:\Windows\SysWOW64\Jkbmhm32.exe Jidalb32.exe File opened for modification C:\Windows\SysWOW64\Oacmjm32.exe Oodana32.exe File created C:\Windows\SysWOW64\Ijioifbc.dll Qklkjpcj.exe File created C:\Windows\SysWOW64\Pkindqem.exe Phkahe32.exe File opened for modification C:\Windows\SysWOW64\Qklkjpcj.exe Plijnc32.exe File created C:\Windows\SysWOW64\Jkpjhghf.exe Jdfakm32.exe File opened for modification C:\Windows\SysWOW64\Ojpeap32.exe Ogaied32.exe File created C:\Windows\SysWOW64\Dfogki32.exe Dhlgpljo.exe File created C:\Windows\SysWOW64\Ciomnjcl.dll Hgpbpb32.exe File created C:\Windows\SysWOW64\Ckjpblig.exe Cmgpfo32.exe File created C:\Windows\SysWOW64\Dfigecac.exe Dckkihao.exe File created C:\Windows\SysWOW64\Lqjnal32.exe Lnlbeq32.exe File opened for modification C:\Windows\SysWOW64\Jnkjnpbg.exe Jbdiio32.exe File opened for modification C:\Windows\SysWOW64\Dhndel32.exe Dpgldn32.exe File opened for modification C:\Windows\SysWOW64\Necjomnc.exe Nbdmcaoo.exe File created C:\Windows\SysWOW64\Mqmikn32.dll Eldloh32.exe File opened for modification C:\Windows\SysWOW64\Jpeloo32.exe Jngpcd32.exe File opened for modification C:\Windows\SysWOW64\Aqoppgqj.exe Ahghnjpg.exe File created C:\Windows\SysWOW64\Gjedhdbh.dll Mapgnpla.exe File opened for modification C:\Windows\SysWOW64\Mlabpi32.exe Mibfdn32.exe File opened for modification C:\Windows\SysWOW64\Noknhc32.exe Nkpbgdlj.exe File created C:\Windows\SysWOW64\Jbffno32.exe Jnkjnpbg.exe File opened for modification C:\Windows\SysWOW64\Dhpqkk32.exe Dpihin32.exe File created C:\Windows\SysWOW64\Mfjjmhql.exe Mobbljpj.exe File created C:\Windows\SysWOW64\Cjjmohjg.dll Ccdkco32.exe File opened for modification C:\Windows\SysWOW64\Dioibnjo.exe Dfpmfbkk.exe File created C:\Windows\SysWOW64\Fjlbnoea.exe Ffqfmp32.exe File created C:\Windows\SysWOW64\Jnkjnpbg.exe Jbdiio32.exe File created C:\Windows\SysWOW64\Oogbojgj.dll Kphcianj.exe File opened for modification C:\Windows\SysWOW64\Nbchhhdm.exe Npdklmej.exe File opened for modification C:\Windows\SysWOW64\Pcopjdlm.exe Pocdjfcd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16856 16712 WerFault.exe 925 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnomni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbmjdia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcdnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlakgfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhehhmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpihin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlpfjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbingcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngejiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkidbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijgjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indcndoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejelmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknopcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfgjpcce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacmjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qccbkmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgiaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmbnggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeclmpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkicgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkchkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlpelmgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbdmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkgmnpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqgbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklpnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpdjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlklnmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goekohjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichjhfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckgcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdinj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkflncpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minmindo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migpomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjenim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilijl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdjadik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighnkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhckq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oandonoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkijao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkgiepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnfgnle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbfhkfib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfjinhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlkklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peobaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klapcaak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemeli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfahj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ligfho32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kilngg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpmldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpkobbc.dll" Incmbkec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghbka32.dll" Qjohmgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijpih32.dll" Bfahnfem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eiepcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnaboeca.dll" Hboggbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nefmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjpek32.dll" Afnemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkaaf32.dll" Dpgldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oodana32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpldadl.dll" Jbffno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpmldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjjjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Migpomld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcqfenfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djdcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgigbhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpobpgb.dll" Kkilnfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knfjinhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcicde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epojeoic.dll" Fpqgakql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkfeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonbak32.dll" Nbdmcaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aolpenhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkaaeoop.dll" Lnqkppge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjgdm32.dll" Jkokgdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbdmcaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpnlfnm.dll" Polgoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pcnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dieflobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikaolkd.dll" Epkndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnqkppge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgkmoelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odadlf32.dll" Ijjnglkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mppbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfchoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oeafpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgdqglbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aamigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeipja32.dll" Aijedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnabq32.dll" Hogakejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlpelmgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dihjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhioclgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afkihnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnafkb32.dll" Hpaqhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikdafofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpikig32.dll" Knhpdhck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebijqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibnjo32.dll" Lqjnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jedbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmondnbo.dll" Dfjnpido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkokgdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhaeo32.dll" Gnlnknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mknopcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dflkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmfkc32.dll" Lepdbpnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgdqglbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcbdmioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohnkh32.dll" Eiepcm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 4424 2384 abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe 82 PID 2384 wrote to memory of 4424 2384 abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe 82 PID 2384 wrote to memory of 4424 2384 abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe 82 PID 4424 wrote to memory of 4108 4424 Faghoece.exe 83 PID 4424 wrote to memory of 4108 4424 Faghoece.exe 83 PID 4424 wrote to memory of 4108 4424 Faghoece.exe 83 PID 4108 wrote to memory of 4240 4108 Fdfdkqbi.exe 84 PID 4108 wrote to memory of 4240 4108 Fdfdkqbi.exe 84 PID 4108 wrote to memory of 4240 4108 Fdfdkqbi.exe 84 PID 4240 wrote to memory of 1092 4240 Fgdqglbm.exe 85 PID 4240 wrote to memory of 1092 4240 Fgdqglbm.exe 85 PID 4240 wrote to memory of 1092 4240 Fgdqglbm.exe 85 PID 1092 wrote to memory of 4616 1092 Fnnidf32.exe 86 PID 1092 wrote to memory of 4616 1092 Fnnidf32.exe 86 PID 1092 wrote to memory of 4616 1092 Fnnidf32.exe 86 PID 4616 wrote to memory of 1036 4616 Fajeeeac.exe 87 PID 4616 wrote to memory of 1036 4616 Fajeeeac.exe 87 PID 4616 wrote to memory of 1036 4616 Fajeeeac.exe 87 PID 1036 wrote to memory of 4484 1036 Fhcmao32.exe 88 PID 1036 wrote to memory of 4484 1036 Fhcmao32.exe 88 PID 1036 wrote to memory of 4484 1036 Fhcmao32.exe 88 PID 4484 wrote to memory of 1104 4484 Foneni32.exe 89 PID 4484 wrote to memory of 1104 4484 Foneni32.exe 89 PID 4484 wrote to memory of 1104 4484 Foneni32.exe 89 PID 1104 wrote to memory of 2212 1104 Fdjnfp32.exe 90 PID 1104 wrote to memory of 2212 1104 Fdjnfp32.exe 90 PID 1104 wrote to memory of 2212 1104 Fdjnfp32.exe 90 PID 2212 wrote to memory of 2960 2212 Fgijbk32.exe 91 PID 2212 wrote to memory of 2960 2212 Fgijbk32.exe 91 PID 2212 wrote to memory of 2960 2212 Fgijbk32.exe 91 PID 2960 wrote to memory of 4180 2960 Fncboeed.exe 92 PID 2960 wrote to memory of 4180 2960 Fncboeed.exe 92 PID 2960 wrote to memory of 4180 2960 Fncboeed.exe 92 PID 4180 wrote to memory of 4008 4180 Fejjqcff.exe 93 PID 4180 wrote to memory of 4008 4180 Fejjqcff.exe 93 PID 4180 wrote to memory of 4008 4180 Fejjqcff.exe 93 PID 4008 wrote to memory of 3416 4008 Fhhfmnej.exe 94 PID 4008 wrote to memory of 3416 4008 Fhhfmnej.exe 94 PID 4008 wrote to memory of 3416 4008 Fhhfmnej.exe 94 PID 3416 wrote to memory of 1496 3416 Fkgbijdn.exe 95 PID 3416 wrote to memory of 1496 3416 Fkgbijdn.exe 95 PID 3416 wrote to memory of 1496 3416 Fkgbijdn.exe 95 PID 1496 wrote to memory of 2164 1496 Ggncnkjb.exe 96 PID 1496 wrote to memory of 2164 1496 Ggncnkjb.exe 96 PID 1496 wrote to memory of 2164 1496 Ggncnkjb.exe 96 PID 2164 wrote to memory of 4596 2164 Goekohjd.exe 97 PID 2164 wrote to memory of 4596 2164 Goekohjd.exe 97 PID 2164 wrote to memory of 4596 2164 Goekohjd.exe 97 PID 4596 wrote to memory of 1388 4596 Geoclb32.exe 98 PID 4596 wrote to memory of 1388 4596 Geoclb32.exe 98 PID 4596 wrote to memory of 1388 4596 Geoclb32.exe 98 PID 1388 wrote to memory of 1256 1388 Ggppcjgp.exe 99 PID 1388 wrote to memory of 1256 1388 Ggppcjgp.exe 99 PID 1388 wrote to memory of 1256 1388 Ggppcjgp.exe 99 PID 1256 wrote to memory of 3784 1256 Gnjhpd32.exe 100 PID 1256 wrote to memory of 3784 1256 Gnjhpd32.exe 100 PID 1256 wrote to memory of 3784 1256 Gnjhpd32.exe 100 PID 3784 wrote to memory of 2148 3784 Geapabpo.exe 101 PID 3784 wrote to memory of 2148 3784 Geapabpo.exe 101 PID 3784 wrote to memory of 2148 3784 Geapabpo.exe 101 PID 2148 wrote to memory of 3624 2148 Ggbmij32.exe 102 PID 2148 wrote to memory of 3624 2148 Ggbmij32.exe 102 PID 2148 wrote to memory of 3624 2148 Ggbmij32.exe 102 PID 3624 wrote to memory of 1896 3624 Gnleedmj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe"C:\Users\Admin\AppData\Local\Temp\abf7ce1875aa4a4d61d64a12694eaec8d50a0f0075822da3e3eb40d251bbece7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Faghoece.exeC:\Windows\system32\Faghoece.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Fdfdkqbi.exeC:\Windows\system32\Fdfdkqbi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Fnnidf32.exeC:\Windows\system32\Fnnidf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Foneni32.exeC:\Windows\system32\Foneni32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Fgijbk32.exeC:\Windows\system32\Fgijbk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fejjqcff.exeC:\Windows\system32\Fejjqcff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe23⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe25⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe26⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe27⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe28⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe29⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe31⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Hhioclgg.exeC:\Windows\system32\Hhioclgg.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe34⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Hnehlceo.exeC:\Windows\system32\Hnehlceo.exe35⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Hfmpmpea.exeC:\Windows\system32\Hfmpmpea.exe36⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Hhklilde.exeC:\Windows\system32\Hhklilde.exe37⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Hgnldh32.exeC:\Windows\system32\Hgnldh32.exe38⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe39⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Hbcqba32.exeC:\Windows\system32\Hbcqba32.exe40⤵
- Executes dropped EXE
PID:3792 -
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe41⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hgpijhim.exeC:\Windows\system32\Hgpijhim.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Hogakejo.exeC:\Windows\system32\Hogakejo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe44⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe45⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Hhpedk32.exeC:\Windows\system32\Hhpedk32.exe46⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe47⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe48⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe49⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Ikqnffnq.exeC:\Windows\system32\Ikqnffnq.exe50⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe51⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe52⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe53⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Ibmchp32.exeC:\Windows\system32\Ibmchp32.exe54⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe55⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe56⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe57⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Ibopnpah.exeC:\Windows\system32\Ibopnpah.exe58⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Iiihjj32.exeC:\Windows\system32\Iiihjj32.exe59⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe60⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe61⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Ifmidn32.exeC:\Windows\system32\Ifmidn32.exe62⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe63⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe64⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Jnkjnpbg.exeC:\Windows\system32\Jnkjnpbg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe68⤵
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe69⤵
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe70⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\Jfdodm32.exeC:\Windows\system32\Jfdodm32.exe71⤵PID:4976
-
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3204 -
C:\Windows\SysWOW64\Jpmcmbhg.exeC:\Windows\system32\Jpmcmbhg.exe73⤵PID:2736
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe74⤵PID:1484
-
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe75⤵PID:2492
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe76⤵PID:4912
-
C:\Windows\SysWOW64\Jnapno32.exeC:\Windows\system32\Jnapno32.exe77⤵PID:1304
-
C:\Windows\SysWOW64\Jfihplma.exeC:\Windows\system32\Jfihplma.exe78⤵PID:3384
-
C:\Windows\SysWOW64\Jigdlhle.exeC:\Windows\system32\Jigdlhle.exe79⤵PID:2964
-
C:\Windows\SysWOW64\Jpamhb32.exeC:\Windows\system32\Jpamhb32.exe80⤵PID:3364
-
C:\Windows\SysWOW64\Kfkeelko.exeC:\Windows\system32\Kfkeelko.exe81⤵PID:1776
-
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe82⤵PID:436
-
C:\Windows\SysWOW64\Knfjinhj.exeC:\Windows\system32\Knfjinhj.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe84⤵PID:4344
-
C:\Windows\SysWOW64\Kilngg32.exeC:\Windows\system32\Kilngg32.exe85⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Knifon32.exeC:\Windows\system32\Knifon32.exe86⤵PID:5084
-
C:\Windows\SysWOW64\Kfpnpk32.exeC:\Windows\system32\Kfpnpk32.exe87⤵PID:1928
-
C:\Windows\SysWOW64\Khakhcmg.exeC:\Windows\system32\Khakhcmg.exe88⤵PID:1756
-
C:\Windows\SysWOW64\Kphcianj.exeC:\Windows\system32\Kphcianj.exe89⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Kfbkfk32.exeC:\Windows\system32\Kfbkfk32.exe90⤵PID:4608
-
C:\Windows\SysWOW64\Kiqgbf32.exeC:\Windows\system32\Kiqgbf32.exe91⤵
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe92⤵PID:4992
-
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe93⤵PID:5112
-
C:\Windows\SysWOW64\Kfdhkkcd.exeC:\Windows\system32\Kfdhkkcd.exe94⤵PID:3540
-
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe95⤵PID:1028
-
C:\Windows\SysWOW64\Klapcaak.exeC:\Windows\system32\Klapcaak.exe96⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe97⤵
- Modifies registry class
PID:3144 -
C:\Windows\SysWOW64\Lfgdajaa.exeC:\Windows\system32\Lfgdajaa.exe98⤵PID:2424
-
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Lhhahb32.exeC:\Windows\system32\Lhhahb32.exe100⤵PID:3940
-
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe101⤵PID:3052
-
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe103⤵PID:876
-
C:\Windows\SysWOW64\Lndfkl32.exeC:\Windows\system32\Lndfkl32.exe104⤵PID:1656
-
C:\Windows\SysWOW64\Lflnlj32.exeC:\Windows\system32\Lflnlj32.exe105⤵PID:2828
-
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe106⤵PID:4908
-
C:\Windows\SysWOW64\Lhmjcbcj.exeC:\Windows\system32\Lhmjcbcj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:748 -
C:\Windows\SysWOW64\Llhfdq32.exeC:\Windows\system32\Llhfdq32.exe108⤵PID:4684
-
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe109⤵PID:4560
-
C:\Windows\SysWOW64\Leqkmf32.exeC:\Windows\system32\Leqkmf32.exe110⤵PID:1584
-
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3616 -
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe112⤵PID:4504
-
C:\Windows\SysWOW64\Lfpggiif.exeC:\Windows\system32\Lfpggiif.exe113⤵PID:1276
-
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe114⤵PID:2312
-
C:\Windows\SysWOW64\Lhadoa32.exeC:\Windows\system32\Lhadoa32.exe115⤵PID:4088
-
C:\Windows\SysWOW64\Moklkkfa.exeC:\Windows\system32\Moklkkfa.exe116⤵PID:388
-
C:\Windows\SysWOW64\Mfbdmi32.exeC:\Windows\system32\Mfbdmi32.exe117⤵PID:4540
-
C:\Windows\SysWOW64\Meedheno.exeC:\Windows\system32\Meedheno.exe118⤵PID:5160
-
C:\Windows\SysWOW64\Mlomep32.exeC:\Windows\system32\Mlomep32.exe119⤵PID:5204
-
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe120⤵PID:5248
-
C:\Windows\SysWOW64\Mehanell.exeC:\Windows\system32\Mehanell.exe121⤵PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-