Analysis
-
max time kernel
96s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe
-
Size
89KB
-
MD5
a799074f329da7b0bbfebc3813a81b72
-
SHA1
949e81e990d5e79a3a6d024be62c6bfa71ed551e
-
SHA256
9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480
-
SHA512
7548b78b4e4c68c771c1706fe13d40c81e30cb66185d79cf35428e203080ff065daa726aacd7df52f694afa5d915652b76557dff508486a49d3b899e20d67733
-
SSDEEP
1536:YQVwvuKCQSxs7n40uKI/kt/pxuoA+OGKHgPyRQ7R+KRFR3RzR1URJrCiuiNj5Qkt:YQVQu/QSxALuS/pxuoaHgPye7jb5ZXUT
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iikmbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gijekg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloqml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Loighj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcecjmkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmcce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jleijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdbfab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacbhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajndioga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncnofeof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaompd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjecpkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgghjjid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aggpfkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bohbhmfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdickcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfbcke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpdoqgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcgcqab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnemi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odjeljhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcggio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcphab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epokedmj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3368 Ohlimd32.exe 2992 Oofaiokl.exe 1940 Oileggkb.exe 1044 Opemca32.exe 4472 Ogpepl32.exe 2164 Ollnhb32.exe 4596 Ocffempp.exe 4292 Pedbahod.exe 800 Ploknb32.exe 3816 Pomgjn32.exe 1660 Pfgogh32.exe 1192 Pjbkgfej.exe 3252 Pckppl32.exe 4680 Phhhhc32.exe 2160 Poaqemao.exe 1520 Pcmlfl32.exe 1132 Pflibgil.exe 1428 Pjgebf32.exe 3744 Podmkm32.exe 4344 Pcpikkge.exe 4900 Pgkelj32.exe 2892 Pfnegggi.exe 3736 Pjjahe32.exe 1328 Plhnda32.exe 876 Pqcjepfo.exe 4736 Pofjpl32.exe 3100 Qcbfakec.exe 1724 Qgnbaj32.exe 4028 Qfpbmfdf.exe 4088 Qjlnnemp.exe 3156 Qhonib32.exe 4592 Qqffjo32.exe 4216 Qoifflkg.exe 5080 Qcdbfk32.exe 2020 Qgpogili.exe 4440 Qfbobf32.exe 4608 Qjnkcekm.exe 892 Qhakoa32.exe 512 Qlmgopjq.exe 2196 Aokcklid.exe 3932 Acgolj32.exe 3292 Agbkmijg.exe 1236 Ajqgidij.exe 4376 Ahchda32.exe 2748 Amodep32.exe 2472 Aompak32.exe 2328 Acilajpk.exe 3312 Agdhbi32.exe 1188 Ajcdnd32.exe 2448 Ahfdjanb.exe 4436 Amaqjp32.exe 2720 Aopmfk32.exe 4940 Ackigjmh.exe 2692 Afjeceml.exe 4532 Ajeadd32.exe 1944 Amcmpodi.exe 4992 Aqoiqn32.exe 2232 Aobilkcl.exe 4816 Acnemi32.exe 2812 Aflaie32.exe 4828 Ajhniccb.exe 1476 Aijnep32.exe 4328 Amfjeobf.exe 3276 Aodfajaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cohkokgj.exe Cljobphg.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cohkokgj.exe File created C:\Windows\SysWOW64\Nbaokj32.dll Ocffempp.exe File opened for modification C:\Windows\SysWOW64\Bgbdcgld.exe Bcghch32.exe File created C:\Windows\SysWOW64\Qlejfm32.dll Dbqqkkbo.exe File created C:\Windows\SysWOW64\Fgaemg32.dll Kkjeomld.exe File created C:\Windows\SysWOW64\Cljobphg.exe Cdbfab32.exe File created C:\Windows\SysWOW64\Jgamgpme.dll Ljbfpo32.exe File created C:\Windows\SysWOW64\Dafipibl.dll Jjoiil32.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Ckclhn32.exe File created C:\Windows\SysWOW64\Pbhafkok.dll Nqbpojnp.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Ipehcj32.dll Dflmlj32.exe File opened for modification C:\Windows\SysWOW64\Ilafiihp.exe Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Pneall32.dll Pdjgha32.exe File created C:\Windows\SysWOW64\Kbblcj32.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Aopmfk32.exe Amaqjp32.exe File opened for modification C:\Windows\SysWOW64\Cffmfadl.exe Cpleig32.exe File opened for modification C:\Windows\SysWOW64\Edhjqc32.exe Emnbdioi.exe File created C:\Windows\SysWOW64\Accailfj.dll Iggjga32.exe File created C:\Windows\SysWOW64\Ajfmkfhq.dll Jcgnbaeo.exe File opened for modification C:\Windows\SysWOW64\Pedlgbkh.exe Pcepkfld.exe File opened for modification C:\Windows\SysWOW64\Ocffempp.exe Ollnhb32.exe File created C:\Windows\SysWOW64\Jhgcicoj.dll Pgkelj32.exe File created C:\Windows\SysWOW64\Qhakoa32.exe Qjnkcekm.exe File created C:\Windows\SysWOW64\Mcpeiqdc.dll Djfcaohp.exe File created C:\Windows\SysWOW64\Bfcqdoab.dll Fagjfflb.exe File created C:\Windows\SysWOW64\Ojnkocdc.dll Mogcihaj.exe File opened for modification C:\Windows\SysWOW64\Cglgjeci.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Mnlnbl32.exe Mhafeb32.exe File created C:\Windows\SysWOW64\Dimenegi.exe Djjebh32.exe File created C:\Windows\SysWOW64\Jlfpdh32.exe Jjgchm32.exe File created C:\Windows\SysWOW64\Lqkqhm32.exe Lnldla32.exe File created C:\Windows\SysWOW64\Fcpjljph.dll Lfbped32.exe File opened for modification C:\Windows\SysWOW64\Ljceqb32.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Hbobhb32.dll Apodoq32.exe File created C:\Windows\SysWOW64\Adfdmepn.dll Podmkm32.exe File created C:\Windows\SysWOW64\Qjlnnemp.exe Qfpbmfdf.exe File created C:\Windows\SysWOW64\Bfhnegmc.dll Djklmo32.exe File created C:\Windows\SysWOW64\Dnbokg32.dll Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Dkceokii.exe Dheibpje.exe File created C:\Windows\SysWOW64\Nkqkhk32.exe Nbefdijg.exe File created C:\Windows\SysWOW64\Dnodbhfi.dll Bmofagfp.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Manmoq32.exe File created C:\Windows\SysWOW64\Bhpfqcln.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Hbhboolf.exe Hlnjbedi.exe File created C:\Windows\SysWOW64\Acpbbi32.exe Aodfajaj.exe File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Nnhmnn32.exe File created C:\Windows\SysWOW64\Eehnaq32.dll Boldhf32.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Dhbebj32.exe File opened for modification C:\Windows\SysWOW64\Kelkaj32.exe Kbmoen32.exe File opened for modification C:\Windows\SysWOW64\Eiaoid32.exe Ecefqnel.exe File opened for modification C:\Windows\SysWOW64\Iggjga32.exe Icknfcol.exe File opened for modification C:\Windows\SysWOW64\Omdppiif.exe Oclkgccf.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Baannc32.exe File created C:\Windows\SysWOW64\Kbbhqn32.exe Knflpoqf.exe File opened for modification C:\Windows\SysWOW64\Okgaijaj.exe Oaompd32.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Manmoq32.exe File opened for modification C:\Windows\SysWOW64\Omgcpokp.exe Ojigdcll.exe File created C:\Windows\SysWOW64\Lihcbd32.dll Ogcnmc32.exe File created C:\Windows\SysWOW64\Amjbbfgo.exe Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Bogkmgba.exe Bklomh32.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Chfegk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 940 4340 WerFault.exe 936 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahcmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljaoeini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngcmcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfmmplad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdppiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqdblmhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqfkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbceggm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkgccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbiamhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpihcgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaifp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnegggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnedlao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geohklaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflibgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidlnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjlnnemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijnep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbpaipl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbjkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfkmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehiffj32.dll" Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liaolo32.dll" Bhamkipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhamkipi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Malgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaflgago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfnbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iqmidndd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnpml32.dll" Ecgcfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okkdic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnaaib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbackgod.dll" Dmpfbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjimmmpe.dll" Glcaambb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdabh32.dll" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaplg32.dll" Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jkgpbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jinboekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phonha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Gncchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpnoncim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdmmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgndoeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjomap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfcoqpl.dll" Megljppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbecoe32.dll" Qkipkani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnjgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdkgc32.dll" Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbefdijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgeaiknl.dll" Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chnlgjlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alnmjjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipmbjgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfhqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pefabkej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 3368 956 9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe 83 PID 956 wrote to memory of 3368 956 9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe 83 PID 956 wrote to memory of 3368 956 9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe 83 PID 3368 wrote to memory of 2992 3368 Ohlimd32.exe 84 PID 3368 wrote to memory of 2992 3368 Ohlimd32.exe 84 PID 3368 wrote to memory of 2992 3368 Ohlimd32.exe 84 PID 2992 wrote to memory of 1940 2992 Oofaiokl.exe 85 PID 2992 wrote to memory of 1940 2992 Oofaiokl.exe 85 PID 2992 wrote to memory of 1940 2992 Oofaiokl.exe 85 PID 1940 wrote to memory of 1044 1940 Oileggkb.exe 86 PID 1940 wrote to memory of 1044 1940 Oileggkb.exe 86 PID 1940 wrote to memory of 1044 1940 Oileggkb.exe 86 PID 1044 wrote to memory of 4472 1044 Opemca32.exe 87 PID 1044 wrote to memory of 4472 1044 Opemca32.exe 87 PID 1044 wrote to memory of 4472 1044 Opemca32.exe 87 PID 4472 wrote to memory of 2164 4472 Ogpepl32.exe 88 PID 4472 wrote to memory of 2164 4472 Ogpepl32.exe 88 PID 4472 wrote to memory of 2164 4472 Ogpepl32.exe 88 PID 2164 wrote to memory of 4596 2164 Ollnhb32.exe 89 PID 2164 wrote to memory of 4596 2164 Ollnhb32.exe 89 PID 2164 wrote to memory of 4596 2164 Ollnhb32.exe 89 PID 4596 wrote to memory of 4292 4596 Ocffempp.exe 90 PID 4596 wrote to memory of 4292 4596 Ocffempp.exe 90 PID 4596 wrote to memory of 4292 4596 Ocffempp.exe 90 PID 4292 wrote to memory of 800 4292 Pedbahod.exe 91 PID 4292 wrote to memory of 800 4292 Pedbahod.exe 91 PID 4292 wrote to memory of 800 4292 Pedbahod.exe 91 PID 800 wrote to memory of 3816 800 Ploknb32.exe 92 PID 800 wrote to memory of 3816 800 Ploknb32.exe 92 PID 800 wrote to memory of 3816 800 Ploknb32.exe 92 PID 3816 wrote to memory of 1660 3816 Pomgjn32.exe 93 PID 3816 wrote to memory of 1660 3816 Pomgjn32.exe 93 PID 3816 wrote to memory of 1660 3816 Pomgjn32.exe 93 PID 1660 wrote to memory of 1192 1660 Pfgogh32.exe 94 PID 1660 wrote to memory of 1192 1660 Pfgogh32.exe 94 PID 1660 wrote to memory of 1192 1660 Pfgogh32.exe 94 PID 1192 wrote to memory of 3252 1192 Pjbkgfej.exe 95 PID 1192 wrote to memory of 3252 1192 Pjbkgfej.exe 95 PID 1192 wrote to memory of 3252 1192 Pjbkgfej.exe 95 PID 3252 wrote to memory of 4680 3252 Pckppl32.exe 96 PID 3252 wrote to memory of 4680 3252 Pckppl32.exe 96 PID 3252 wrote to memory of 4680 3252 Pckppl32.exe 96 PID 4680 wrote to memory of 2160 4680 Phhhhc32.exe 97 PID 4680 wrote to memory of 2160 4680 Phhhhc32.exe 97 PID 4680 wrote to memory of 2160 4680 Phhhhc32.exe 97 PID 2160 wrote to memory of 1520 2160 Poaqemao.exe 98 PID 2160 wrote to memory of 1520 2160 Poaqemao.exe 98 PID 2160 wrote to memory of 1520 2160 Poaqemao.exe 98 PID 1520 wrote to memory of 1132 1520 Pcmlfl32.exe 99 PID 1520 wrote to memory of 1132 1520 Pcmlfl32.exe 99 PID 1520 wrote to memory of 1132 1520 Pcmlfl32.exe 99 PID 1132 wrote to memory of 1428 1132 Pflibgil.exe 100 PID 1132 wrote to memory of 1428 1132 Pflibgil.exe 100 PID 1132 wrote to memory of 1428 1132 Pflibgil.exe 100 PID 1428 wrote to memory of 3744 1428 Pjgebf32.exe 101 PID 1428 wrote to memory of 3744 1428 Pjgebf32.exe 101 PID 1428 wrote to memory of 3744 1428 Pjgebf32.exe 101 PID 3744 wrote to memory of 4344 3744 Podmkm32.exe 102 PID 3744 wrote to memory of 4344 3744 Podmkm32.exe 102 PID 3744 wrote to memory of 4344 3744 Podmkm32.exe 102 PID 4344 wrote to memory of 4900 4344 Pcpikkge.exe 103 PID 4344 wrote to memory of 4900 4344 Pcpikkge.exe 103 PID 4344 wrote to memory of 4900 4344 Pcpikkge.exe 103 PID 4900 wrote to memory of 2892 4900 Pgkelj32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe"C:\Users\Admin\AppData\Local\Temp\9ac9a6f38807a915524f37e1da237f0e57f08ac12ebb8ee449ad06118c904480.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe24⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe25⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe26⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe27⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe28⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe29⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe32⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe33⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe35⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe36⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe37⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe39⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe40⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe41⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe42⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe43⤵
- Executes dropped EXE
PID:3292 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe44⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe45⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe46⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe47⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe48⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe49⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe50⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe51⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4436 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe54⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe55⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe56⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe57⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe58⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe59⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe61⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe62⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe64⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3276 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe66⤵PID:3580
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe67⤵PID:4524
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe68⤵PID:336
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe69⤵PID:1032
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe71⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe73⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe74⤵PID:2788
-
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe75⤵PID:880
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe76⤵PID:908
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe77⤵PID:3436
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe78⤵PID:4764
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe80⤵PID:4360
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe81⤵PID:3328
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe82⤵PID:912
-
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe84⤵
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe85⤵PID:4936
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe86⤵PID:2548
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe87⤵PID:2952
-
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe88⤵PID:2240
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe89⤵PID:3088
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe90⤵PID:5008
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe91⤵PID:1776
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3680 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe93⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe94⤵PID:4008
-
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe95⤵PID:708
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe96⤵PID:2452
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe97⤵PID:2864
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe98⤵PID:452
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe99⤵PID:1480
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4740 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe101⤵PID:1560
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe102⤵PID:4760
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe103⤵PID:2424
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe104⤵
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe105⤵PID:1196
-
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe106⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe108⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe109⤵PID:3084
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe111⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe112⤵PID:1204
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe113⤵PID:2024
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe114⤵PID:2252
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe115⤵PID:1580
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe117⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe118⤵PID:5220
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe119⤵PID:5276
-
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe120⤵PID:5320
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe121⤵PID:5364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-