Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 20:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe
Resource
win7-20250207-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe
-
Size
96KB
-
MD5
4c440405fd6361a590ceeefabe499784
-
SHA1
88ff794d92c0e9cd2560692cd6ac4a76767a1ff4
-
SHA256
12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e
-
SHA512
d35a27e8a7da140176c213ee81a43b185785ba914e26a4d311937b1ee31914fbf36c7d64278c76c7deb237a73c5ebb35c9ebe086fce0a5b5015cb89d8efbc056
-
SSDEEP
1536:CN32FUWvLRrMS4OJOHba1k0DIHyVIvHuFKK7ktaAjWbjtKBvU:CNitr7ogkIhImFKK7ktVwtCU
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnkggfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmoiqneg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdocph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphioh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnmopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmmlamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iajdgcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhiogdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpjmph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinkojm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affikdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqgedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbiockdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcfbkpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oafcqcea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edbiniff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpcinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcgpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeelnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgmhcaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phincl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblbca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmgqpkip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcmfnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcapicdj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2640 Hacbhb32.exe 972 Ihnkel32.exe 3620 Iklgah32.exe 2764 Injcmc32.exe 3460 Iddljmpc.exe 2168 Ikndgg32.exe 4808 Iahlcaol.exe 3864 Idghpmnp.exe 2912 Igedlh32.exe 1532 Inomhbeq.exe 3060 Idieem32.exe 1556 Ijfnmc32.exe 1980 Iqpfjnba.exe 692 Ihgnkkbd.exe 3728 Indfca32.exe 4276 Jhijqj32.exe 3632 Jjjghcfp.exe 1236 Jhpqaiji.exe 4208 Jgcamf32.exe 2084 Jdgafjpn.exe 4012 Jkaicd32.exe 4112 Jnpfop32.exe 3144 Kdinljnk.exe 1560 Kkcfid32.exe 1472 Kelkaj32.exe 1928 Kgjgne32.exe 1636 Kjhcjq32.exe 4828 Kqbkfkal.exe 4316 Kgmcce32.exe 4156 Kbbhqn32.exe 3428 Keqdmihc.exe 2100 Kjmmepfj.exe 3372 Kecabifp.exe 116 Kkmioc32.exe 1288 Lbgalmej.exe 2272 Lajagj32.exe 3048 Lkofdbkj.exe 1716 Lbinam32.exe 4556 Lalnmiia.exe 816 Lgffic32.exe 1096 Lnpofnhk.exe 4952 Lankbigo.exe 2456 Lldopb32.exe 2108 Ljgpkonp.exe 2704 Lbngllob.exe 2568 Lacdmh32.exe 4876 Mbbagk32.exe 3348 Mlkepaam.exe 4500 Mecjif32.exe 3536 Mlmbfqoj.exe 3080 Mbgjbkfg.exe 3672 Meefofek.exe 2628 Mlpokp32.exe 4568 Malgcg32.exe 1896 Mehcdfch.exe 2296 Mhfppabl.exe 4304 Mlbkap32.exe 1104 Mnphmkji.exe 3660 Maodigil.exe 3736 Mldhfpib.exe 3612 Nemmoe32.exe 4660 Nlfelogp.exe 4860 Njiegl32.exe 2236 Nbqmiinl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlmbfqoj.exe Mecjif32.exe File created C:\Windows\SysWOW64\Olbdhn32.exe Oidhlb32.exe File created C:\Windows\SysWOW64\Jfkafocc.dll Iphioh32.exe File created C:\Windows\SysWOW64\Hopnfa32.dll Pehngkcg.exe File opened for modification C:\Windows\SysWOW64\Bkibgh32.exe Bhkfkmmg.exe File created C:\Windows\SysWOW64\Heegad32.exe Hbgkei32.exe File created C:\Windows\SysWOW64\Hbihjifh.exe Hlppno32.exe File created C:\Windows\SysWOW64\Cdjblf32.exe Cpogkhnl.exe File created C:\Windows\SysWOW64\Lalnmiia.exe Lbinam32.exe File created C:\Windows\SysWOW64\Fnnhjlpl.dll Oohgdhfn.exe File created C:\Windows\SysWOW64\Cnindhpg.exe Ckjbhmad.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Lncjlq32.exe File created C:\Windows\SysWOW64\Jodamh32.dll Ekngemhd.exe File created C:\Windows\SysWOW64\Fclhpo32.exe Process not Found File created C:\Windows\SysWOW64\Fjinnekj.dll Process not Found File created C:\Windows\SysWOW64\Fofobm32.dll Process not Found File created C:\Windows\SysWOW64\Apedgj32.dll Bcahmb32.exe File created C:\Windows\SysWOW64\Aplhmakj.dll Dkdliame.exe File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe Mjdebfnd.exe File opened for modification C:\Windows\SysWOW64\Akccap32.exe Alpbecod.exe File created C:\Windows\SysWOW64\Bochmn32.exe Alelqb32.exe File created C:\Windows\SysWOW64\Jocefm32.exe Jmbhoeid.exe File created C:\Windows\SysWOW64\Cggimh32.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Fcndmiqg.dll Mapppn32.exe File created C:\Windows\SysWOW64\Jnchkf32.dll Iahlcaol.exe File created C:\Windows\SysWOW64\Jbnnbmfj.dll Oaompd32.exe File opened for modification C:\Windows\SysWOW64\Pkcadhgm.exe Plpqil32.exe File opened for modification C:\Windows\SysWOW64\Fllkqn32.exe Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Fmkgkapm.exe Fjmkoeqi.exe File created C:\Windows\SysWOW64\Jmpjlk32.dll Mqdcnl32.exe File created C:\Windows\SysWOW64\Mokmdh32.exe Mmmqhl32.exe File created C:\Windows\SysWOW64\Hpioin32.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Bchign32.dll Lmdemd32.exe File created C:\Windows\SysWOW64\Lfcpgb32.dll Jekqmhia.exe File created C:\Windows\SysWOW64\Gpcpel32.dll Jnlkedai.exe File created C:\Windows\SysWOW64\Dagdgfkf.dll Iojkeh32.exe File created C:\Windows\SysWOW64\Laiimcij.dll Loacdc32.exe File created C:\Windows\SysWOW64\Pfojdh32.exe Ppdbgncl.exe File created C:\Windows\SysWOW64\Fncibg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gddgpqbe.exe Process not Found File created C:\Windows\SysWOW64\Emmkiclm.exe Ejoomhmi.exe File opened for modification C:\Windows\SysWOW64\Fbhpch32.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Hponje32.dll Ohmhmh32.exe File created C:\Windows\SysWOW64\Dnpdegjp.exe Dkahilkl.exe File created C:\Windows\SysWOW64\Ehmjob32.dll Lgibpf32.exe File opened for modification C:\Windows\SysWOW64\Nflkbanj.exe Npbceggm.exe File created C:\Windows\SysWOW64\Gpkehj32.dll Affikdfn.exe File created C:\Windows\SysWOW64\Dajkgl32.dll Jjjghcfp.exe File created C:\Windows\SysWOW64\Bjmped32.dll Kkcfid32.exe File created C:\Windows\SysWOW64\Mieced32.dll Mehcdfch.exe File created C:\Windows\SysWOW64\Bccbakce.dll Fibhpbea.exe File created C:\Windows\SysWOW64\Idllbp32.dll Aafemk32.exe File created C:\Windows\SysWOW64\Gahamgib.dll Dnbakghm.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Keimof32.exe File created C:\Windows\SysWOW64\Conanfli.exe Cggimh32.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Haplhc32.dll Kgmcce32.exe File opened for modification C:\Windows\SysWOW64\Mldhfpib.exe Maodigil.exe File created C:\Windows\SysWOW64\Oikmnf32.dll Fjmkoeqi.exe File created C:\Windows\SysWOW64\Bgeemcfc.dll Nmenca32.exe File created C:\Windows\SysWOW64\Nbalhp32.dll Bojomm32.exe File opened for modification C:\Windows\SysWOW64\Glkmmefl.exe Geaepk32.exe File opened for modification C:\Windows\SysWOW64\Ddkbmj32.exe Damfao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6304 18176 Process not Found 1157 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbnpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coegoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehdfdek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhldbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdhffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iepaaico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peieba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebifmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efpomccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaagkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnblnlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikkpgafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfaapbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbonoghb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baepolni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaclqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjmekgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niakfbpa.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgbchj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll" Ihmfco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhgac32.dll" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapjhc32.dll" Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfllfd32.dll" Kglmio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjahlgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hckeoeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll" Mjjkaabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fooclapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Gbiockdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamojc32.dll" Igedlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfagighf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpogkhnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edaaccbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inomhbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joahqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjccdkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfgko32.dll" Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll" Amjbbfgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jekjcaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocihgnam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfjjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhlkilba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll" Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhehh32.dll" Abcgjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdpoomj.dll" Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aidehpea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknnoofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojajin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll" Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnnbmfj.dll" Oaompd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbceggm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekjded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll" Hacbhb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2640 1728 12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe 86 PID 1728 wrote to memory of 2640 1728 12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe 86 PID 1728 wrote to memory of 2640 1728 12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe 86 PID 2640 wrote to memory of 972 2640 Hacbhb32.exe 87 PID 2640 wrote to memory of 972 2640 Hacbhb32.exe 87 PID 2640 wrote to memory of 972 2640 Hacbhb32.exe 87 PID 972 wrote to memory of 3620 972 Ihnkel32.exe 88 PID 972 wrote to memory of 3620 972 Ihnkel32.exe 88 PID 972 wrote to memory of 3620 972 Ihnkel32.exe 88 PID 3620 wrote to memory of 2764 3620 Iklgah32.exe 89 PID 3620 wrote to memory of 2764 3620 Iklgah32.exe 89 PID 3620 wrote to memory of 2764 3620 Iklgah32.exe 89 PID 2764 wrote to memory of 3460 2764 Injcmc32.exe 90 PID 2764 wrote to memory of 3460 2764 Injcmc32.exe 90 PID 2764 wrote to memory of 3460 2764 Injcmc32.exe 90 PID 3460 wrote to memory of 2168 3460 Iddljmpc.exe 91 PID 3460 wrote to memory of 2168 3460 Iddljmpc.exe 91 PID 3460 wrote to memory of 2168 3460 Iddljmpc.exe 91 PID 2168 wrote to memory of 4808 2168 Ikndgg32.exe 92 PID 2168 wrote to memory of 4808 2168 Ikndgg32.exe 92 PID 2168 wrote to memory of 4808 2168 Ikndgg32.exe 92 PID 4808 wrote to memory of 3864 4808 Iahlcaol.exe 94 PID 4808 wrote to memory of 3864 4808 Iahlcaol.exe 94 PID 4808 wrote to memory of 3864 4808 Iahlcaol.exe 94 PID 3864 wrote to memory of 2912 3864 Idghpmnp.exe 95 PID 3864 wrote to memory of 2912 3864 Idghpmnp.exe 95 PID 3864 wrote to memory of 2912 3864 Idghpmnp.exe 95 PID 2912 wrote to memory of 1532 2912 Igedlh32.exe 96 PID 2912 wrote to memory of 1532 2912 Igedlh32.exe 96 PID 2912 wrote to memory of 1532 2912 Igedlh32.exe 96 PID 1532 wrote to memory of 3060 1532 Inomhbeq.exe 97 PID 1532 wrote to memory of 3060 1532 Inomhbeq.exe 97 PID 1532 wrote to memory of 3060 1532 Inomhbeq.exe 97 PID 3060 wrote to memory of 1556 3060 Idieem32.exe 98 PID 3060 wrote to memory of 1556 3060 Idieem32.exe 98 PID 3060 wrote to memory of 1556 3060 Idieem32.exe 98 PID 1556 wrote to memory of 1980 1556 Ijfnmc32.exe 99 PID 1556 wrote to memory of 1980 1556 Ijfnmc32.exe 99 PID 1556 wrote to memory of 1980 1556 Ijfnmc32.exe 99 PID 1980 wrote to memory of 692 1980 Iqpfjnba.exe 100 PID 1980 wrote to memory of 692 1980 Iqpfjnba.exe 100 PID 1980 wrote to memory of 692 1980 Iqpfjnba.exe 100 PID 692 wrote to memory of 3728 692 Ihgnkkbd.exe 101 PID 692 wrote to memory of 3728 692 Ihgnkkbd.exe 101 PID 692 wrote to memory of 3728 692 Ihgnkkbd.exe 101 PID 3728 wrote to memory of 4276 3728 Indfca32.exe 102 PID 3728 wrote to memory of 4276 3728 Indfca32.exe 102 PID 3728 wrote to memory of 4276 3728 Indfca32.exe 102 PID 4276 wrote to memory of 3632 4276 Jhijqj32.exe 103 PID 4276 wrote to memory of 3632 4276 Jhijqj32.exe 103 PID 4276 wrote to memory of 3632 4276 Jhijqj32.exe 103 PID 3632 wrote to memory of 1236 3632 Jjjghcfp.exe 104 PID 3632 wrote to memory of 1236 3632 Jjjghcfp.exe 104 PID 3632 wrote to memory of 1236 3632 Jjjghcfp.exe 104 PID 1236 wrote to memory of 4208 1236 Jhpqaiji.exe 105 PID 1236 wrote to memory of 4208 1236 Jhpqaiji.exe 105 PID 1236 wrote to memory of 4208 1236 Jhpqaiji.exe 105 PID 4208 wrote to memory of 2084 4208 Jgcamf32.exe 106 PID 4208 wrote to memory of 2084 4208 Jgcamf32.exe 106 PID 4208 wrote to memory of 2084 4208 Jgcamf32.exe 106 PID 2084 wrote to memory of 4012 2084 Jdgafjpn.exe 107 PID 2084 wrote to memory of 4012 2084 Jdgafjpn.exe 107 PID 2084 wrote to memory of 4012 2084 Jdgafjpn.exe 107 PID 4012 wrote to memory of 4112 4012 Jkaicd32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe"C:\Users\Admin\AppData\Local\Temp\12172a7778d811620099d7d27ba8a272fc4047ad7bfa50a57c4b934f63a97d4e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Idghpmnp.exeC:\Windows\system32\Idghpmnp.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4112 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe24⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe26⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe27⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe28⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe29⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4316 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe31⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe32⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe33⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe34⤵
- Executes dropped EXE
PID:3372 -
C:\Windows\SysWOW64\Kkmioc32.exeC:\Windows\system32\Kkmioc32.exe35⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe36⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe37⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe38⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe40⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe41⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe42⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe43⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe44⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe46⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe47⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe48⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe49⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe51⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe52⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe53⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe55⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe57⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe58⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe59⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3660 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe61⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe63⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe64⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe65⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe66⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe67⤵PID:4280
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe68⤵PID:5064
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2248 -
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe70⤵PID:4672
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe71⤵
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe72⤵PID:428
-
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe73⤵PID:1904
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe74⤵PID:940
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe75⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe76⤵PID:1892
-
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe77⤵PID:3684
-
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe78⤵PID:1652
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe79⤵
- Drops file in System32 directory
PID:4744 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe80⤵PID:1496
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe81⤵PID:4540
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe84⤵PID:4256
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe85⤵PID:4936
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe86⤵PID:1816
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe88⤵PID:5180
-
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe89⤵PID:5224
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe90⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe92⤵PID:5356
-
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe93⤵PID:5400
-
C:\Windows\SysWOW64\Pedlgbkh.exeC:\Windows\system32\Pedlgbkh.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe95⤵
- System Location Discovery: System Language Discovery
PID:5504 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe96⤵PID:5564
-
C:\Windows\SysWOW64\Plpqil32.exeC:\Windows\system32\Plpqil32.exe97⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe98⤵PID:5676
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe100⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe101⤵PID:5856
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe102⤵PID:5920
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe103⤵PID:5992
-
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe104⤵PID:6040
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe105⤵PID:6084
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe107⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe108⤵PID:5236
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe109⤵PID:5328
-
C:\Windows\SysWOW64\Qhlkilba.exeC:\Windows\system32\Qhlkilba.exe110⤵
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe111⤵PID:5472
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe112⤵PID:5572
-
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe113⤵PID:5660
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe114⤵PID:5752
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe115⤵PID:5848
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe116⤵PID:5952
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe117⤵PID:6028
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe119⤵PID:5172
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe120⤵PID:5300
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe121⤵PID:5416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-