Analysis
-
max time kernel
95s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
-
Size
64KB
-
MD5
aaa4f437c6368827a915650a2e9c7787
-
SHA1
373d207859275b49733de9032b6ede0e7a41ebcf
-
SHA256
46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2
-
SHA512
b7dd5cbd8d373496fdac81d92bd0365876386becaf1a0e1fd8303917473571c3c36696f30ae248742aca7edf67df51f3f7512ae88cb8e6004d0433583f95404a
-
SSDEEP
1536:ZiI+u7Gh4LHcG1jrfVwm7/PkpaSftWy2rPFW2iwTbW:ZiIk4L8GTwmIpawtXiFW2VTbW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhicpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfcaohp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjcnold.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceefd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjccdkki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddligq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnelok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfnqmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjknfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Monjjgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkqoohc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagiji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhkgoiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgfapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knefeffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niklpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaohcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkmjjaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmofagfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podmkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eangpgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhabbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhgbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmmmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihnomjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhdgpii.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4568 Jfpojead.exe 2732 Jiokfpph.exe 3068 Jkmgblok.exe 2480 Jbgoof32.exe 1204 Jiaglp32.exe 724 Jpkphjeb.exe 2192 Jbileede.exe 5104 Jicdap32.exe 1612 Jkaqnk32.exe 2712 Jblijebc.exe 2720 Jejefqaf.exe 3880 Kppici32.exe 4228 Kfjapcii.exe 2344 Klfjijgq.exe 3688 Knefeffd.exe 2632 Keonap32.exe 1328 Klifnj32.exe 2548 Kbbokdlk.exe 4860 Keakgpko.exe 2520 Kpgodhkd.exe 1352 Kechmoil.exe 876 Khbdikip.exe 1196 Kfcdfbqo.exe 2928 Kiaqcnpb.exe 2160 Lnnikdnj.exe 4616 Lehaho32.exe 1856 Llbidimc.exe 3772 Lifjnm32.exe 4400 Lhijijbg.exe 1512 Lppbkgcj.exe 2104 Lbnngbbn.exe 3312 Lhkgoiqe.exe 3016 Llgcph32.exe 1212 Loeolc32.exe 4608 Lflgmqhd.exe 2584 Leoghn32.exe 1056 Lhncdi32.exe 5052 Lpekef32.exe 436 Mimpolee.exe 4900 Mhppji32.exe 3128 Mbedga32.exe 2100 Mfaqhp32.exe 3228 Mlnipg32.exe 4664 Molelb32.exe 5088 Mfcmmp32.exe 1500 Mibijk32.exe 1448 Mlpeff32.exe 2824 Moobbb32.exe 1480 Midfokpm.exe 4484 Moaogand.exe 4384 Mfhfhong.exe 1552 Mhicpg32.exe 2404 Mleoafmn.exe 4188 Mfjcnold.exe 3172 Nemcjk32.exe 2516 Nlglfe32.exe 2244 Npchgdcd.exe 1388 Nbadcpbh.exe 1340 Niklpj32.exe 3064 Nlihle32.exe 1584 Nohehq32.exe 2748 Ngomin32.exe 4540 Niniei32.exe 3864 Nlleaeff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qeocld32.dll Bifmqo32.exe File opened for modification C:\Windows\SysWOW64\Bnkbcj32.exe Blielbfi.exe File opened for modification C:\Windows\SysWOW64\Iikmbh32.exe Iepaaico.exe File opened for modification C:\Windows\SysWOW64\Jniood32.exe Jebfng32.exe File created C:\Windows\SysWOW64\Bjdbkbbn.dll Koaagkcb.exe File created C:\Windows\SysWOW64\Jeggngeb.dll Ehfcfb32.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Onnmdcjm.exe File opened for modification C:\Windows\SysWOW64\Cfnjpfcl.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Gimqajgh.exe Gbchdp32.exe File created C:\Windows\SysWOW64\Fpekmi32.dll Ibhkfm32.exe File created C:\Windows\SysWOW64\Jiiicf32.exe Jenmcggo.exe File opened for modification C:\Windows\SysWOW64\Baannc32.exe Bobabg32.exe File created C:\Windows\SysWOW64\Ecpfpo32.dll Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Njmhhefi.exe File created C:\Windows\SysWOW64\Mmjpbc32.dll Bhbcfbjk.exe File created C:\Windows\SysWOW64\Doepmnag.dll Jniood32.exe File created C:\Windows\SysWOW64\Ekppjn32.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Elcenjob.dll Plhnda32.exe File opened for modification C:\Windows\SysWOW64\Ajeadd32.exe Aggegh32.exe File opened for modification C:\Windows\SysWOW64\Ooqqdi32.exe Oidhlb32.exe File created C:\Windows\SysWOW64\Alnmjjdb.exe Ajpqnneo.exe File created C:\Windows\SysWOW64\Elpkep32.exe Emmkiclm.exe File created C:\Windows\SysWOW64\Akdilipp.exe Agimkk32.exe File created C:\Windows\SysWOW64\Jmppfooc.dll Opadhb32.exe File opened for modification C:\Windows\SysWOW64\Knkekn32.exe Kinmcg32.exe File created C:\Windows\SysWOW64\Cjpqjh32.dll Bblnindg.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Idcepgmg.exe File created C:\Windows\SysWOW64\Lkalplel.exe Lcjcnoej.exe File created C:\Windows\SysWOW64\Hahqkaaa.dll Bepmoh32.exe File created C:\Windows\SysWOW64\Blqllqqa.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Lhkgoiqe.exe Lbnngbbn.exe File created C:\Windows\SysWOW64\Poodpmca.exe Plagcbdn.exe File opened for modification C:\Windows\SysWOW64\Hncmmd32.exe Hdkidohn.exe File opened for modification C:\Windows\SysWOW64\Iggaah32.exe Iakiia32.exe File created C:\Windows\SysWOW64\Acfhad32.exe Aojlaeei.exe File opened for modification C:\Windows\SysWOW64\Ccpdoqgd.exe Ckilmcgb.exe File opened for modification C:\Windows\SysWOW64\Dflmlj32.exe Dcnqpo32.exe File opened for modification C:\Windows\SysWOW64\Lomqcjie.exe Lqkqhm32.exe File opened for modification C:\Windows\SysWOW64\Phcomcng.exe Pjpobg32.exe File created C:\Windows\SysWOW64\Dapkni32.exe Diicml32.exe File created C:\Windows\SysWOW64\Fmnkkg32.exe Fhabbp32.exe File created C:\Windows\SysWOW64\Dbeojn32.dll Jncoikmp.exe File created C:\Windows\SysWOW64\Nmnqjp32.exe Nlmdbh32.exe File opened for modification C:\Windows\SysWOW64\Gpnfge32.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Ipgijcij.dll Lcdciiec.exe File created C:\Windows\SysWOW64\Onmfimga.exe Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Mhicpg32.exe Mfhfhong.exe File opened for modification C:\Windows\SysWOW64\Amfjeobf.exe Ajhniccb.exe File created C:\Windows\SysWOW64\Aojjhafd.dll Cibmlmeb.exe File created C:\Windows\SysWOW64\Igliicdk.dll Acmobchj.exe File created C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File created C:\Windows\SysWOW64\Nfaemp32.exe Ncchae32.exe File opened for modification C:\Windows\SysWOW64\Baegibae.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Bahdob32.exe Bnlhncgi.exe File opened for modification C:\Windows\SysWOW64\Khbdikip.exe Kechmoil.exe File created C:\Windows\SysWOW64\Gfkincfn.dll Nemcjk32.exe File created C:\Windows\SysWOW64\Oodlnfco.dll Nhokljge.exe File created C:\Windows\SysWOW64\Addaif32.exe Aafemk32.exe File opened for modification C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Ogbdnipf.dll Fihnomjp.exe File opened for modification C:\Windows\SysWOW64\Oghghb32.exe Opqofe32.exe File created C:\Windows\SysWOW64\Geqnma32.dll Apjkcadp.exe File created C:\Windows\SysWOW64\Phcomcng.exe Pjpobg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6876 7072 Process not Found 1131 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclbpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocddono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqpbglno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fligqhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfaapbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnlkfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlgleef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcelmhen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblpdgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcgcqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdbfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkmec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oileggkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkddfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefedmil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhcgaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifjnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inainbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaohcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnlmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgflqkdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqkill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fielph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacjadad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qebhhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehngkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaplqh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afnnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looknpmn.dll" Bpnihiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefgbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnhdgpii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlgdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamgpme.dll" Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modgdicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll" Dhphmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niklpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenlqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoekkn.dll" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjfni32.dll" Hpfcdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqpjb32.dll" Lehaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahchda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiemobf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbdgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfaqhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfinqm32.dll" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfihkqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efblbbqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll" Oaplqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnboabc.dll" Fhofmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phedhmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papfgbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncliqp32.dll" Ebjcajjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfjlb32.dll" Lflgmqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcjiff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohofdmkm.dll" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkellk32.dll" Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgeghp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Oaifpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkincfn.dll" Nemcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnggge32.dll" Lnnbqnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpqkcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icknfcol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1652 wrote to memory of 4568 1652 46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe 85 PID 1652 wrote to memory of 4568 1652 46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe 85 PID 1652 wrote to memory of 4568 1652 46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe 85 PID 4568 wrote to memory of 2732 4568 Jfpojead.exe 86 PID 4568 wrote to memory of 2732 4568 Jfpojead.exe 86 PID 4568 wrote to memory of 2732 4568 Jfpojead.exe 86 PID 2732 wrote to memory of 3068 2732 Jiokfpph.exe 87 PID 2732 wrote to memory of 3068 2732 Jiokfpph.exe 87 PID 2732 wrote to memory of 3068 2732 Jiokfpph.exe 87 PID 3068 wrote to memory of 2480 3068 Jkmgblok.exe 88 PID 3068 wrote to memory of 2480 3068 Jkmgblok.exe 88 PID 3068 wrote to memory of 2480 3068 Jkmgblok.exe 88 PID 2480 wrote to memory of 1204 2480 Jbgoof32.exe 89 PID 2480 wrote to memory of 1204 2480 Jbgoof32.exe 89 PID 2480 wrote to memory of 1204 2480 Jbgoof32.exe 89 PID 1204 wrote to memory of 724 1204 Jiaglp32.exe 90 PID 1204 wrote to memory of 724 1204 Jiaglp32.exe 90 PID 1204 wrote to memory of 724 1204 Jiaglp32.exe 90 PID 724 wrote to memory of 2192 724 Jpkphjeb.exe 91 PID 724 wrote to memory of 2192 724 Jpkphjeb.exe 91 PID 724 wrote to memory of 2192 724 Jpkphjeb.exe 91 PID 2192 wrote to memory of 5104 2192 Jbileede.exe 92 PID 2192 wrote to memory of 5104 2192 Jbileede.exe 92 PID 2192 wrote to memory of 5104 2192 Jbileede.exe 92 PID 5104 wrote to memory of 1612 5104 Jicdap32.exe 93 PID 5104 wrote to memory of 1612 5104 Jicdap32.exe 93 PID 5104 wrote to memory of 1612 5104 Jicdap32.exe 93 PID 1612 wrote to memory of 2712 1612 Jkaqnk32.exe 94 PID 1612 wrote to memory of 2712 1612 Jkaqnk32.exe 94 PID 1612 wrote to memory of 2712 1612 Jkaqnk32.exe 94 PID 2712 wrote to memory of 2720 2712 Jblijebc.exe 95 PID 2712 wrote to memory of 2720 2712 Jblijebc.exe 95 PID 2712 wrote to memory of 2720 2712 Jblijebc.exe 95 PID 2720 wrote to memory of 3880 2720 Jejefqaf.exe 96 PID 2720 wrote to memory of 3880 2720 Jejefqaf.exe 96 PID 2720 wrote to memory of 3880 2720 Jejefqaf.exe 96 PID 3880 wrote to memory of 4228 3880 Kppici32.exe 98 PID 3880 wrote to memory of 4228 3880 Kppici32.exe 98 PID 3880 wrote to memory of 4228 3880 Kppici32.exe 98 PID 4228 wrote to memory of 2344 4228 Kfjapcii.exe 99 PID 4228 wrote to memory of 2344 4228 Kfjapcii.exe 99 PID 4228 wrote to memory of 2344 4228 Kfjapcii.exe 99 PID 2344 wrote to memory of 3688 2344 Klfjijgq.exe 100 PID 2344 wrote to memory of 3688 2344 Klfjijgq.exe 100 PID 2344 wrote to memory of 3688 2344 Klfjijgq.exe 100 PID 3688 wrote to memory of 2632 3688 Knefeffd.exe 101 PID 3688 wrote to memory of 2632 3688 Knefeffd.exe 101 PID 3688 wrote to memory of 2632 3688 Knefeffd.exe 101 PID 2632 wrote to memory of 1328 2632 Keonap32.exe 102 PID 2632 wrote to memory of 1328 2632 Keonap32.exe 102 PID 2632 wrote to memory of 1328 2632 Keonap32.exe 102 PID 1328 wrote to memory of 2548 1328 Klifnj32.exe 104 PID 1328 wrote to memory of 2548 1328 Klifnj32.exe 104 PID 1328 wrote to memory of 2548 1328 Klifnj32.exe 104 PID 2548 wrote to memory of 4860 2548 Kbbokdlk.exe 105 PID 2548 wrote to memory of 4860 2548 Kbbokdlk.exe 105 PID 2548 wrote to memory of 4860 2548 Kbbokdlk.exe 105 PID 4860 wrote to memory of 2520 4860 Keakgpko.exe 106 PID 4860 wrote to memory of 2520 4860 Keakgpko.exe 106 PID 4860 wrote to memory of 2520 4860 Keakgpko.exe 106 PID 2520 wrote to memory of 1352 2520 Kpgodhkd.exe 107 PID 2520 wrote to memory of 1352 2520 Kpgodhkd.exe 107 PID 2520 wrote to memory of 1352 2520 Kpgodhkd.exe 107 PID 1352 wrote to memory of 876 1352 Kechmoil.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe"C:\Users\Admin\AppData\Local\Temp\46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe23⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe24⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe25⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe26⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe28⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3772 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe30⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe31⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe34⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe35⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe37⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe39⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe40⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe41⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe42⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe45⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe46⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe47⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Mlpeff32.exeC:\Windows\system32\Mlpeff32.exe48⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe49⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe50⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe51⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe54⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe58⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe59⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe61⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe62⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe63⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe64⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe65⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe66⤵PID:64
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe67⤵PID:5084
-
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe68⤵PID:3384
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe69⤵PID:1076
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe70⤵PID:4148
-
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe71⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe72⤵PID:2764
-
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe73⤵PID:4744
-
C:\Windows\SysWOW64\Ohgoaehe.exeC:\Windows\system32\Ohgoaehe.exe74⤵PID:3560
-
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe75⤵PID:3524
-
C:\Windows\SysWOW64\Ocmconhk.exeC:\Windows\system32\Ocmconhk.exe76⤵PID:1452
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe78⤵PID:2276
-
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe79⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe80⤵
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe81⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe82⤵PID:3536
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe83⤵
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe84⤵PID:3152
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe85⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe86⤵PID:1224
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe87⤵PID:780
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe88⤵PID:2588
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe89⤵PID:5156
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe90⤵PID:5196
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe91⤵PID:5244
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe92⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe93⤵PID:5332
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe94⤵PID:5380
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe95⤵PID:5424
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe96⤵PID:5468
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe97⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe98⤵PID:5556
-
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe99⤵
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe100⤵PID:5644
-
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe101⤵PID:5688
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe102⤵PID:5736
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe103⤵PID:5780
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe104⤵PID:5840
-
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe105⤵PID:5900
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe106⤵PID:5948
-
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe107⤵PID:5996
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6044 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe109⤵PID:6088
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe110⤵PID:6136
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe111⤵PID:5184
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe112⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe113⤵PID:5312
-
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe114⤵PID:5392
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe115⤵PID:5452
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe116⤵PID:5524
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe117⤵PID:5592
-
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe119⤵PID:5720
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe120⤵PID:5824
-
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe121⤵PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-