Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 19:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
-
Size
320KB
-
MD5
2aa9e362182557ec92c6993efadf0160
-
SHA1
027d0cc77cf29eb52700aa3e7865faa6744ed2d8
-
SHA256
35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506
-
SHA512
3e8ab73e41f05bba7c075b12928d19ecec0c8c0ab7646be7917430a8fc5b5309648b20d7b0403e8f5842d6d39993fffdfd39bca2918c1be244532f889979f0aa
-
SSDEEP
6144:ps4ngnHMtOhqagi3pv5GyZ6YugQdjGG1wsKm06D4:pnnEbhx37GyXu1jGG1ws54
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eidlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqpamb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onocomdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpcodihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmhdkknd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmgjia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imiehfao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnfjehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlgoek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbepme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljmhflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifaim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpnjah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdickcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebdlangb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofckhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coiaiakf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnfohmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klekfinp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4960 Oekiqccc.exe 4748 Oocmii32.exe 4940 Oemefcap.exe 4760 Okjnnj32.exe 1920 Oeoblb32.exe 4516 Oklkdi32.exe 216 Oafcqcea.exe 1748 Pllgnl32.exe 4072 Pahpfc32.exe 1036 Phbhcmjl.exe 4396 Pchlpfjb.exe 3272 Phedhmhi.exe 2280 Pamiaboj.exe 984 Pidabppl.exe 2456 Pcmeke32.exe 3024 Pifnhpmi.exe 1156 Pkhjph32.exe 2356 Pemomqcn.exe 1180 Qkjgegae.exe 1400 Qcaofebg.exe 4504 Qhngolpo.exe 648 Ajndioga.exe 3640 Akoqpg32.exe 4372 Aaiimadl.exe 3944 Alnmjjdb.exe 1296 Aakebqbj.exe 2460 Akcjkfij.exe 428 Aanbhp32.exe 3496 Akffafgg.exe 2136 Afkknogn.exe 1964 Akhcfe32.exe 1164 Bfngdn32.exe 2936 Bkkple32.exe 5040 Bcahmb32.exe 4104 Bfpdin32.exe 976 Bljlfh32.exe 2300 Bcddcbab.exe 3068 Bjnmpl32.exe 4152 Bmlilh32.exe 3660 Bcfahbpo.exe 1844 Bjpjel32.exe 2568 Bkafmd32.exe 224 Bcinna32.exe 1124 Bjbfklei.exe 3196 Bkdcbd32.exe 2976 Bbnkonbd.exe 4328 Cihclh32.exe 3392 Cobkhb32.exe 4712 Cjgpfk32.exe 4080 Cmflbf32.exe 2504 Cbbdjm32.exe 2888 Cimmggfl.exe 3444 Cofecami.exe 5012 Cfqmpl32.exe 1176 Cmjemflb.exe 3360 Coiaiakf.exe 4912 Cfcjfk32.exe 5116 Cmmbbejp.exe 2912 Ccgjopal.exe 4268 Dmoohe32.exe 3432 Dcigeooj.exe 3692 Djcoai32.exe 3856 Dkdliame.exe 3012 Dfjpfj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Moipoh32.exe Mmkdcm32.exe File created C:\Windows\SysWOW64\Feqeog32.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Fofilp32.exe Fgoakc32.exe File created C:\Windows\SysWOW64\Jbepme32.exe Jllhpkfk.exe File opened for modification C:\Windows\SysWOW64\Ekmhejao.exe Eiokinbk.exe File created C:\Windows\SysWOW64\Giidol32.dll Pagbaglh.exe File created C:\Windows\SysWOW64\Fkikinpo.dll Ddnobj32.exe File created C:\Windows\SysWOW64\Nqcejcha.exe Njjmni32.exe File opened for modification C:\Windows\SysWOW64\Qkjgegae.exe Pemomqcn.exe File opened for modification C:\Windows\SysWOW64\Jcikgacl.exe Jqknkedi.exe File created C:\Windows\SysWOW64\Ehkaqc32.dll Iebngial.exe File created C:\Windows\SysWOW64\Pekihfdc.dll Jimldogg.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bcfahbpo.exe File opened for modification C:\Windows\SysWOW64\Dpdaepai.exe Dikihe32.exe File opened for modification C:\Windows\SysWOW64\Fdnhih32.exe Fbplml32.exe File opened for modification C:\Windows\SysWOW64\Iefphb32.exe Ibgdlg32.exe File opened for modification C:\Windows\SysWOW64\Cmmbbejp.exe Cfcjfk32.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe Alkijdci.exe File created C:\Windows\SysWOW64\Plikcm32.dll Baannc32.exe File created C:\Windows\SysWOW64\Dnmaea32.exe Dkndie32.exe File created C:\Windows\SysWOW64\Bkkple32.exe Bfngdn32.exe File created C:\Windows\SysWOW64\Jhglpo32.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Hmkqgckn.dll Lfbped32.exe File created C:\Windows\SysWOW64\Hnjfof32.dll Ilfennic.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gjdaodja.exe File created C:\Windows\SysWOW64\Defbaa32.dll Ljbnfleo.exe File created C:\Windows\SysWOW64\Hdhedh32.exe Hmnmgnoh.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Jdblhj32.dll Fpgpgfmh.exe File created C:\Windows\SysWOW64\Joahqn32.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Fgjimp32.dll Phfcipoo.exe File created C:\Windows\SysWOW64\Foclgq32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Ilibdmgp.exe Ieojgc32.exe File opened for modification C:\Windows\SysWOW64\Mjodla32.exe Mcelpggq.exe File created C:\Windows\SysWOW64\Cinclj32.dll Dolmodpi.exe File created C:\Windows\SysWOW64\Hegaehem.dll Bhbcfbjk.exe File opened for modification C:\Windows\SysWOW64\Kckqbj32.exe Klahfp32.exe File created C:\Windows\SysWOW64\Fnebjidl.dll Lohqnd32.exe File created C:\Windows\SysWOW64\Fcndmiqg.dll Mapppn32.exe File opened for modification C:\Windows\SysWOW64\Obqanjdb.exe Oqoefand.exe File created C:\Windows\SysWOW64\Pjpbba32.dll Emoadlfo.exe File created C:\Windows\SysWOW64\Hnnljj32.exe Hlppno32.exe File created C:\Windows\SysWOW64\Mlkhbi32.dll Ibcjqgnm.exe File created C:\Windows\SysWOW64\Idjnmo32.dll Pifnhpmi.exe File created C:\Windows\SysWOW64\Gmophg32.dll Iikmbh32.exe File created C:\Windows\SysWOW64\Gkkgpc32.exe Gbdoof32.exe File created C:\Windows\SysWOW64\Jgbjbp32.exe Jddnfd32.exe File created C:\Windows\SysWOW64\Micgbemj.dll Chlflabp.exe File created C:\Windows\SysWOW64\Dmohno32.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Jbofpe32.dll Nceefd32.exe File opened for modification C:\Windows\SysWOW64\Aanbhp32.exe Akcjkfij.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Nlmdbh32.exe File created C:\Windows\SysWOW64\Phonha32.exe Ppgegd32.exe File created C:\Windows\SysWOW64\Npakijcp.dll Mlhqcgnk.exe File created C:\Windows\SysWOW64\Ogmeemdg.dll Ooibkpmi.exe File created C:\Windows\SysWOW64\Kihgqfld.dll Gihpkd32.exe File created C:\Windows\SysWOW64\Egqbff32.dll Cfqmpl32.exe File created C:\Windows\SysWOW64\Ajgflp32.dll Fpbmfn32.exe File opened for modification C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Mjahlgpf.exe Mchppmij.exe File created C:\Windows\SysWOW64\Nlkfjqib.dll Nnicid32.exe File created C:\Windows\SysWOW64\Ffiipfmi.dll Eppjfgcp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3928 17172 WerFault.exe 920 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkkhhmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkceokii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabcopmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhclmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppolhcnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqoefand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kefiopki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakebqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafkgphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdkdgchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqanjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhnfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomqcjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbicl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllhpkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljmhflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modgdicm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkdek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimcma32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojbpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbhgf32.dll" Ffobhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpcbhji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfmmb32.dll" Nqmojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phdpmbnc.dll" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Egcaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igbalblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfcnpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikdcmpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclkag32.dll" Gaqhjggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbgkei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Jafdcbge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohjdmko.dll" Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll" Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbijb32.dll" Najmjokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenghpla.dll" Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hecjke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqfngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kamjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Likhem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" Pfagighf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hffken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilnlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddcenpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phigif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll" Afpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dakikoom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnblnlhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egohdegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljeafb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1128 wrote to memory of 4960 1128 35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe 84 PID 1128 wrote to memory of 4960 1128 35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe 84 PID 1128 wrote to memory of 4960 1128 35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe 84 PID 4960 wrote to memory of 4748 4960 Oekiqccc.exe 85 PID 4960 wrote to memory of 4748 4960 Oekiqccc.exe 85 PID 4960 wrote to memory of 4748 4960 Oekiqccc.exe 85 PID 4748 wrote to memory of 4940 4748 Oocmii32.exe 86 PID 4748 wrote to memory of 4940 4748 Oocmii32.exe 86 PID 4748 wrote to memory of 4940 4748 Oocmii32.exe 86 PID 4940 wrote to memory of 4760 4940 Oemefcap.exe 87 PID 4940 wrote to memory of 4760 4940 Oemefcap.exe 87 PID 4940 wrote to memory of 4760 4940 Oemefcap.exe 87 PID 4760 wrote to memory of 1920 4760 Okjnnj32.exe 88 PID 4760 wrote to memory of 1920 4760 Okjnnj32.exe 88 PID 4760 wrote to memory of 1920 4760 Okjnnj32.exe 88 PID 1920 wrote to memory of 4516 1920 Oeoblb32.exe 89 PID 1920 wrote to memory of 4516 1920 Oeoblb32.exe 89 PID 1920 wrote to memory of 4516 1920 Oeoblb32.exe 89 PID 4516 wrote to memory of 216 4516 Oklkdi32.exe 90 PID 4516 wrote to memory of 216 4516 Oklkdi32.exe 90 PID 4516 wrote to memory of 216 4516 Oklkdi32.exe 90 PID 216 wrote to memory of 1748 216 Oafcqcea.exe 91 PID 216 wrote to memory of 1748 216 Oafcqcea.exe 91 PID 216 wrote to memory of 1748 216 Oafcqcea.exe 91 PID 1748 wrote to memory of 4072 1748 Pllgnl32.exe 92 PID 1748 wrote to memory of 4072 1748 Pllgnl32.exe 92 PID 1748 wrote to memory of 4072 1748 Pllgnl32.exe 92 PID 4072 wrote to memory of 1036 4072 Pahpfc32.exe 93 PID 4072 wrote to memory of 1036 4072 Pahpfc32.exe 93 PID 4072 wrote to memory of 1036 4072 Pahpfc32.exe 93 PID 1036 wrote to memory of 4396 1036 Phbhcmjl.exe 94 PID 1036 wrote to memory of 4396 1036 Phbhcmjl.exe 94 PID 1036 wrote to memory of 4396 1036 Phbhcmjl.exe 94 PID 4396 wrote to memory of 3272 4396 Pchlpfjb.exe 95 PID 4396 wrote to memory of 3272 4396 Pchlpfjb.exe 95 PID 4396 wrote to memory of 3272 4396 Pchlpfjb.exe 95 PID 3272 wrote to memory of 2280 3272 Phedhmhi.exe 96 PID 3272 wrote to memory of 2280 3272 Phedhmhi.exe 96 PID 3272 wrote to memory of 2280 3272 Phedhmhi.exe 96 PID 2280 wrote to memory of 984 2280 Pamiaboj.exe 97 PID 2280 wrote to memory of 984 2280 Pamiaboj.exe 97 PID 2280 wrote to memory of 984 2280 Pamiaboj.exe 97 PID 984 wrote to memory of 2456 984 Pidabppl.exe 98 PID 984 wrote to memory of 2456 984 Pidabppl.exe 98 PID 984 wrote to memory of 2456 984 Pidabppl.exe 98 PID 2456 wrote to memory of 3024 2456 Pcmeke32.exe 99 PID 2456 wrote to memory of 3024 2456 Pcmeke32.exe 99 PID 2456 wrote to memory of 3024 2456 Pcmeke32.exe 99 PID 3024 wrote to memory of 1156 3024 Pifnhpmi.exe 100 PID 3024 wrote to memory of 1156 3024 Pifnhpmi.exe 100 PID 3024 wrote to memory of 1156 3024 Pifnhpmi.exe 100 PID 1156 wrote to memory of 2356 1156 Pkhjph32.exe 101 PID 1156 wrote to memory of 2356 1156 Pkhjph32.exe 101 PID 1156 wrote to memory of 2356 1156 Pkhjph32.exe 101 PID 2356 wrote to memory of 1180 2356 Pemomqcn.exe 102 PID 2356 wrote to memory of 1180 2356 Pemomqcn.exe 102 PID 2356 wrote to memory of 1180 2356 Pemomqcn.exe 102 PID 1180 wrote to memory of 1400 1180 Qkjgegae.exe 103 PID 1180 wrote to memory of 1400 1180 Qkjgegae.exe 103 PID 1180 wrote to memory of 1400 1180 Qkjgegae.exe 103 PID 1400 wrote to memory of 4504 1400 Qcaofebg.exe 104 PID 1400 wrote to memory of 4504 1400 Qcaofebg.exe 104 PID 1400 wrote to memory of 4504 1400 Qcaofebg.exe 104 PID 4504 wrote to memory of 648 4504 Qhngolpo.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe"C:\Users\Admin\AppData\Local\Temp\35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe23⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe24⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe25⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe26⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe30⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe31⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe34⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe35⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Bfpdin32.exeC:\Windows\system32\Bfpdin32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe37⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe38⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe39⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bmlilh32.exeC:\Windows\system32\Bmlilh32.exe40⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe42⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe44⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe45⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe47⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe48⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe49⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe50⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe51⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe52⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe53⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe54⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe56⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe60⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe61⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe62⤵
- Executes dropped EXE
PID:3432 -
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe63⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe64⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe66⤵PID:840
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe67⤵PID:4308
-
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe68⤵PID:2164
-
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe69⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe70⤵PID:4676
-
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe71⤵PID:3932
-
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe72⤵PID:3948
-
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4224 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe74⤵PID:4780
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe75⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe76⤵
- System Location Discovery: System Language Discovery
PID:4212 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe77⤵PID:4860
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe78⤵PID:3548
-
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe79⤵PID:3808
-
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe82⤵PID:4360
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe83⤵PID:4980
-
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe84⤵PID:3540
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe85⤵PID:2248
-
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe88⤵PID:3120
-
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe91⤵PID:2224
-
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe92⤵
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe93⤵PID:404
-
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe94⤵PID:4572
-
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe95⤵PID:1696
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe96⤵PID:5076
-
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe97⤵PID:4492
-
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe98⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe99⤵
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe100⤵PID:2804
-
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe101⤵
- System Location Discovery: System Language Discovery
PID:5144 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe102⤵PID:5188
-
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe103⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe104⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe105⤵PID:5316
-
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe106⤵PID:5360
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe107⤵PID:5404
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe108⤵
- System Location Discovery: System Language Discovery
PID:5448 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe109⤵PID:5492
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe110⤵PID:5536
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe111⤵PID:5580
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe112⤵
- Drops file in System32 directory
PID:5624 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe113⤵PID:5672
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe114⤵PID:5716
-
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe115⤵PID:5760
-
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe116⤵PID:5804
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5848 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe118⤵PID:5892
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe119⤵PID:5940
-
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe120⤵
- Drops file in System32 directory
PID:5984 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe121⤵PID:6028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-