Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 14:57
Behavioral task
behavioral1
Sample
2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe
Resource
win7-20240903-en
General
-
Target
2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe
-
Size
93KB
-
MD5
c3ae137ec8f348e132b0a3dd85bf7ff1
-
SHA1
116beb9578128dffc17c2bb89dc2fcf27543550d
-
SHA256
2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5
-
SHA512
c650a233f0196b694dbec36ee1e1b011759e9c1a10e2e7adb6de15dfd536f251e67e3cf93e9a04f78e9f0abbf66900c8df2456ca8e6855511fd4e830709fc151
-
SSDEEP
1536:YtiOI5ATPaM7H0qOfMKvce+gT1DaYfMZRWuLsV+1Z:Y5V7efxce+gTgYfc0DV+1Z
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinjhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jniood32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjellmbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcecjmkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkoch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkdcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhdhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jncoikmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjijmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqogq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdhon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlphbnoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipinkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkkhhmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpcal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niakfbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mebcop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafndi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamapjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkbjjbda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdbnmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkmec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injcmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgccb32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 756 Mefmimif.exe 1540 Mhdjehhj.exe 2896 Mplafeil.exe 1244 Mffjcopi.exe 2216 Mhgfkg32.exe 3160 Mpnnle32.exe 952 Mfhfhong.exe 5000 Mhicpg32.exe 2760 Mpqkad32.exe 1428 Nemcjk32.exe 1128 Nlglfe32.exe 2712 Noehba32.exe 1528 Ngmpcn32.exe 2660 Nlihle32.exe 840 Nebmekoi.exe 1264 Npgabc32.exe 2708 Nedjjj32.exe 2612 Nlnbgddc.exe 324 Neffpj32.exe 2180 Nlqomd32.exe 908 Nookip32.exe 2776 Ogfcjm32.exe 1848 Opogbbig.exe 2172 Oigllh32.exe 3444 Olehhc32.exe 2908 Oocddono.exe 4536 Oenlqi32.exe 624 Olgemcli.exe 880 Opcqnb32.exe 1520 Ocamjm32.exe 2728 Ogmijllo.exe 1784 Oohnonij.exe 4240 Ojnblg32.exe 568 Ookjdn32.exe 736 Pedbahod.exe 3116 Ppjgoaoj.exe 4136 Pjbkgfej.exe 2348 Pckppl32.exe 3744 Pjehmfch.exe 4324 Ppopjp32.exe 3184 Poaqemao.exe 4360 Pflibgil.exe 4628 Ppamophb.exe 820 Pgkelj32.exe 3540 Phlacbfm.exe 2488 Pofjpl32.exe 3660 Qgnbaj32.exe 2888 Qjlnnemp.exe 1064 Qoifflkg.exe 4068 Qfbobf32.exe 2016 Qhakoa32.exe 2444 Acgolj32.exe 3000 Ajqgidij.exe 4824 Amodep32.exe 2200 Acilajpk.exe 3528 Afghneoo.exe 1524 Amaqjp32.exe 3088 Ackigjmh.exe 4764 Aggegh32.exe 2244 Amcmpodi.exe 1712 Acnemi32.exe 2700 Agiamhdo.exe 4812 Amfjeobf.exe 4592 Acpbbi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fineoi32.exe Ffpicn32.exe File opened for modification C:\Windows\SysWOW64\Igedlh32.exe Idghpmnp.exe File created C:\Windows\SysWOW64\Ojqcnhkl.exe Process not Found File created C:\Windows\SysWOW64\Ckpamabg.exe Process not Found File created C:\Windows\SysWOW64\Jofill32.dll Gpnmbl32.exe File created C:\Windows\SysWOW64\Blciboie.dll Pkgcea32.exe File opened for modification C:\Windows\SysWOW64\Fdlkdhnk.exe Fooclapd.exe File created C:\Windows\SysWOW64\Ipjiligp.dll Fmnkkg32.exe File created C:\Windows\SysWOW64\Kiejmi32.exe Jbkbpoog.exe File opened for modification C:\Windows\SysWOW64\Bckkca32.exe Bopocbcq.exe File created C:\Windows\SysWOW64\Jjgchm32.exe Icnklbmj.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Polppg32.exe Plndcl32.exe File opened for modification C:\Windows\SysWOW64\Ejalcgkg.exe Ebjcajjd.exe File created C:\Windows\SysWOW64\Ijagjini.dll Elgaeolp.exe File created C:\Windows\SysWOW64\Nppbddqg.dll Process not Found File created C:\Windows\SysWOW64\Kodapf32.dll Lgccinoe.exe File created C:\Windows\SysWOW64\Jgbchj32.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Nhegig32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jpdhkf32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kcndbp32.exe File created C:\Windows\SysWOW64\Omfmcjlk.dll Ohlqcagj.exe File opened for modification C:\Windows\SysWOW64\Ibmeoq32.exe Inainbcn.exe File opened for modification C:\Windows\SysWOW64\Ejchhgid.exe Epndknin.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Kkeldnpi.exe File created C:\Windows\SysWOW64\Ncnofeof.exe Nqpcjj32.exe File opened for modification C:\Windows\SysWOW64\Lepleocn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gmeakf32.exe Ggkiol32.exe File created C:\Windows\SysWOW64\Bbfmgd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Maiccajf.exe Mnkggfkb.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Alkijdci.exe File created C:\Windows\SysWOW64\Iblhpckf.dll Lnldla32.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cdbpgl32.exe File opened for modification C:\Windows\SysWOW64\Pciqnk32.exe Process not Found File created C:\Windows\SysWOW64\Amikgpcc.exe Process not Found File created C:\Windows\SysWOW64\Bjlgdc32.exe Bcbohigp.exe File created C:\Windows\SysWOW64\Ohmkjd32.dll Cgcmjd32.exe File created C:\Windows\SysWOW64\Jhndljll.exe Jqglkmlj.exe File created C:\Windows\SysWOW64\Jihdpleo.dll Gphphj32.exe File created C:\Windows\SysWOW64\Enbjad32.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Kpanan32.exe Kncaec32.exe File opened for modification C:\Windows\SysWOW64\Cpleig32.exe Cmniml32.exe File created C:\Windows\SysWOW64\Gcilohid.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oloahhki.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Qdphngfl.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Hdbplg32.dll Gfeaopqo.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Ljceqb32.exe File created C:\Windows\SysWOW64\Jnblgj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ljbnfleo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhamkipi.exe Bcddcbab.exe File created C:\Windows\SysWOW64\Dnodbhfi.dll Bombmcec.exe File created C:\Windows\SysWOW64\Ccmgiaig.exe Ckfphc32.exe File opened for modification C:\Windows\SysWOW64\Cfnqklgh.exe Cmflbf32.exe File created C:\Windows\SysWOW64\Hojpmg32.dll Pddhbipj.exe File created C:\Windows\SysWOW64\Hnflfgji.dll Cponen32.exe File created C:\Windows\SysWOW64\Gfokoelp.exe Gdaociml.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jnelok32.exe File created C:\Windows\SysWOW64\Jhohnk32.dll Knalji32.exe File created C:\Windows\SysWOW64\Ohkkhhmh.exe Oelolmnd.exe File created C:\Windows\SysWOW64\Ankkea32.dll Efeihb32.exe File created C:\Windows\SysWOW64\Edgbii32.exe Ebifmm32.exe File created C:\Windows\SysWOW64\Mcpeiqdc.dll Dfjgaq32.exe File created C:\Windows\SysWOW64\Hmkjpibb.dll Oeoblb32.exe File created C:\Windows\SysWOW64\Ofgdcipq.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 9520 7516 Process not Found 1308 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnbgddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faenpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgicgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadlbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclkee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kecabifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcaofebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqqdeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinmhkke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fielph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjhpcmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkceokii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljgpkonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkbbmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daediilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdckaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhpfbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddadpdmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmoohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlkdhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocddono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohnonij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkjbip32.dll" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiohdo32.dll" Hlambk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddchh32.dll" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdpecjm.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqhdbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbnigjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhalefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phajna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamophb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajnp32.dll" Jqglkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjiffif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcjkfij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcedencn.dll" Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iplkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gicgpelg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmao32.dll" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll" Ebfign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Mjellmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifdaage.dll" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoelkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljcnd32.dll" Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjfibml.dll" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pioelhgj.dll" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfmkfhq.dll" Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll" Jkjcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmcnn32.dll" Ljobpiql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfjgifo.dll" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Holfoqcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3292 wrote to memory of 756 3292 2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe 82 PID 3292 wrote to memory of 756 3292 2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe 82 PID 3292 wrote to memory of 756 3292 2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe 82 PID 756 wrote to memory of 1540 756 Mefmimif.exe 83 PID 756 wrote to memory of 1540 756 Mefmimif.exe 83 PID 756 wrote to memory of 1540 756 Mefmimif.exe 83 PID 1540 wrote to memory of 2896 1540 Mhdjehhj.exe 84 PID 1540 wrote to memory of 2896 1540 Mhdjehhj.exe 84 PID 1540 wrote to memory of 2896 1540 Mhdjehhj.exe 84 PID 2896 wrote to memory of 1244 2896 Mplafeil.exe 85 PID 2896 wrote to memory of 1244 2896 Mplafeil.exe 85 PID 2896 wrote to memory of 1244 2896 Mplafeil.exe 85 PID 1244 wrote to memory of 2216 1244 Mffjcopi.exe 86 PID 1244 wrote to memory of 2216 1244 Mffjcopi.exe 86 PID 1244 wrote to memory of 2216 1244 Mffjcopi.exe 86 PID 2216 wrote to memory of 3160 2216 Mhgfkg32.exe 87 PID 2216 wrote to memory of 3160 2216 Mhgfkg32.exe 87 PID 2216 wrote to memory of 3160 2216 Mhgfkg32.exe 87 PID 3160 wrote to memory of 952 3160 Mpnnle32.exe 88 PID 3160 wrote to memory of 952 3160 Mpnnle32.exe 88 PID 3160 wrote to memory of 952 3160 Mpnnle32.exe 88 PID 952 wrote to memory of 5000 952 Mfhfhong.exe 89 PID 952 wrote to memory of 5000 952 Mfhfhong.exe 89 PID 952 wrote to memory of 5000 952 Mfhfhong.exe 89 PID 5000 wrote to memory of 2760 5000 Mhicpg32.exe 90 PID 5000 wrote to memory of 2760 5000 Mhicpg32.exe 90 PID 5000 wrote to memory of 2760 5000 Mhicpg32.exe 90 PID 2760 wrote to memory of 1428 2760 Mpqkad32.exe 91 PID 2760 wrote to memory of 1428 2760 Mpqkad32.exe 91 PID 2760 wrote to memory of 1428 2760 Mpqkad32.exe 91 PID 1428 wrote to memory of 1128 1428 Nemcjk32.exe 92 PID 1428 wrote to memory of 1128 1428 Nemcjk32.exe 92 PID 1428 wrote to memory of 1128 1428 Nemcjk32.exe 92 PID 1128 wrote to memory of 2712 1128 Nlglfe32.exe 93 PID 1128 wrote to memory of 2712 1128 Nlglfe32.exe 93 PID 1128 wrote to memory of 2712 1128 Nlglfe32.exe 93 PID 2712 wrote to memory of 1528 2712 Noehba32.exe 94 PID 2712 wrote to memory of 1528 2712 Noehba32.exe 94 PID 2712 wrote to memory of 1528 2712 Noehba32.exe 94 PID 1528 wrote to memory of 2660 1528 Ngmpcn32.exe 95 PID 1528 wrote to memory of 2660 1528 Ngmpcn32.exe 95 PID 1528 wrote to memory of 2660 1528 Ngmpcn32.exe 95 PID 2660 wrote to memory of 840 2660 Nlihle32.exe 96 PID 2660 wrote to memory of 840 2660 Nlihle32.exe 96 PID 2660 wrote to memory of 840 2660 Nlihle32.exe 96 PID 840 wrote to memory of 1264 840 Nebmekoi.exe 97 PID 840 wrote to memory of 1264 840 Nebmekoi.exe 97 PID 840 wrote to memory of 1264 840 Nebmekoi.exe 97 PID 1264 wrote to memory of 2708 1264 Npgabc32.exe 98 PID 1264 wrote to memory of 2708 1264 Npgabc32.exe 98 PID 1264 wrote to memory of 2708 1264 Npgabc32.exe 98 PID 2708 wrote to memory of 2612 2708 Nedjjj32.exe 99 PID 2708 wrote to memory of 2612 2708 Nedjjj32.exe 99 PID 2708 wrote to memory of 2612 2708 Nedjjj32.exe 99 PID 2612 wrote to memory of 324 2612 Nlnbgddc.exe 100 PID 2612 wrote to memory of 324 2612 Nlnbgddc.exe 100 PID 2612 wrote to memory of 324 2612 Nlnbgddc.exe 100 PID 324 wrote to memory of 2180 324 Neffpj32.exe 101 PID 324 wrote to memory of 2180 324 Neffpj32.exe 101 PID 324 wrote to memory of 2180 324 Neffpj32.exe 101 PID 2180 wrote to memory of 908 2180 Nlqomd32.exe 102 PID 2180 wrote to memory of 908 2180 Nlqomd32.exe 102 PID 2180 wrote to memory of 908 2180 Nlqomd32.exe 102 PID 908 wrote to memory of 2776 908 Nookip32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe"C:\Users\Admin\AppData\Local\Temp\2f425e4649bd53c198e645992965fc98e0596b9d3c8b3eb60a0227cafd4aedf5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Nebmekoi.exeC:\Windows\system32\Nebmekoi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe23⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe24⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Oigllh32.exeC:\Windows\system32\Oigllh32.exe25⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe26⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe28⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe29⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe30⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe31⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe32⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe34⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe35⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe36⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe37⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe38⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe39⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe40⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe41⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe42⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe43⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4628 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe45⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe46⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe47⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe48⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe49⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe50⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe51⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe52⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe53⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe54⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe55⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe56⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe57⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe59⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe60⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe62⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe63⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe64⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe66⤵PID:4528
-
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe67⤵PID:3324
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe68⤵PID:436
-
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe69⤵
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe70⤵PID:1420
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe71⤵PID:2576
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe72⤵PID:4432
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4896 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe74⤵PID:2560
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe75⤵PID:4852
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe76⤵
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe77⤵PID:540
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe78⤵PID:2960
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe79⤵PID:1996
-
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3456 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe81⤵PID:3916
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe82⤵PID:4956
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe83⤵PID:3164
-
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe84⤵PID:1860
-
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe85⤵PID:1760
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe86⤵PID:664
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe87⤵PID:208
-
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe88⤵
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe89⤵PID:1732
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe90⤵PID:2364
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe91⤵PID:4512
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe92⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe93⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe94⤵PID:5060
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe96⤵PID:2004
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe97⤵
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe98⤵PID:1592
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe99⤵PID:2468
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe100⤵PID:4520
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe101⤵PID:1604
-
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe102⤵PID:4552
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe105⤵PID:244
-
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe106⤵PID:1532
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe107⤵PID:2292
-
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe108⤵PID:2408
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe109⤵PID:988
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe110⤵PID:3652
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe111⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe112⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe113⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe114⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4532 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe117⤵PID:516
-
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe118⤵PID:4332
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe119⤵PID:4500
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe121⤵PID:4412
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe122⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-