Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 19:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe
-
Size
80KB
-
MD5
fdb292c1f588f3e61bdaa6078f91ca80
-
SHA1
63ce5f50c1318490512db42e68748e951828da10
-
SHA256
c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497
-
SHA512
f519feac50f744c09a1e35289d613cb5698ae39312c27b7282b20fb93a27dd6ebd4585e75ac74b2a891192a9123fb5f279dd38a91f32d9e084cdb891c41a54fb
-
SSDEEP
768:yt2yb50qaK6VTz+HPDcvogR6wWK0QY7/CHo4NXhaYMYzRRup7aj2p/1H50rXdnhP:B8GO3Hej1xMYzRRupej2L0CYrum8SPG2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklbmllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklnjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgoaehe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcliikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mojhgbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibbqicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageolo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbfbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohhpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglpibgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbiaapdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjagjhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonehbjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgaijaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofmfmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqoiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gilapgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfdjanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peieba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnoklk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaefgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amddjegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohjlgefb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neccpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcicmqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epokedmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadlbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmgmijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgakbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 5016 Dohfbj32.exe 964 Deanodkh.exe 1260 Dhpjkojk.exe 3312 Dkoggkjo.exe 4656 Dceohhja.exe 1976 Ddgkpp32.exe 3428 Dlncan32.exe 1932 Echknh32.exe 2780 Edihepnm.exe 4852 Elppfmoo.exe 1708 Ecjhcg32.exe 4028 Edkdkplj.exe 4260 Elbmlmml.exe 2768 Eekaebcm.exe 3104 Eocenh32.exe 1208 Eabbjc32.exe 2308 Ekjfcipa.exe 2524 Eepjpb32.exe 4508 Fljcmlfd.exe 4344 Fcckif32.exe 1224 Fhqcam32.exe 532 Fkopnh32.exe 1148 Faihkbci.exe 2332 Flnlhk32.exe 1488 Fchddejl.exe 1888 Ffgqqaip.exe 3272 Fhemmlhc.exe 4184 Ffimfqgm.exe 5000 Fkffog32.exe 3164 Fcmnpe32.exe 4864 Fdnjgmle.exe 1484 Gbbkaako.exe 2876 Ghlcnk32.exe 2092 Gofkje32.exe 1012 Gbdgfa32.exe 3084 Ghopckpi.exe 5080 Gohhpe32.exe 1928 Gdeqhl32.exe 3888 Gkoiefmj.exe 740 Gbiaapdf.exe 3568 Gicinj32.exe 2956 Gomakdcp.exe 4548 Hkfoeega.exe 2068 Hcmgfbhd.exe 1964 Heocnk32.exe 1940 Hmfkoh32.exe 4760 Hcpclbfa.exe 3976 Hfnphn32.exe 2040 Himldi32.exe 952 Hofdacke.exe 4360 Hfqlnm32.exe 4416 Hecmijim.exe 2304 Hoiafcic.exe 4016 Hfcicmqp.exe 1000 Iiaephpc.exe 1432 Ipknlb32.exe 3052 Ibjjhn32.exe 1808 Iicbehnq.exe 2984 Ikbnacmd.exe 636 Iblfnn32.exe 4892 Imakkfdg.exe 1440 Ildkgc32.exe 3400 Ickchq32.exe 4352 Iemppiab.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nknjec32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Abcgjg32.exe Process not Found File created C:\Windows\SysWOW64\Ifjigbdo.dll Hfqlnm32.exe File created C:\Windows\SysWOW64\Ejldilhc.dll Jghabl32.exe File opened for modification C:\Windows\SysWOW64\Lnnikdnj.exe Llpmoiof.exe File created C:\Windows\SysWOW64\Icgcab32.dll Bmkcqn32.exe File opened for modification C:\Windows\SysWOW64\Jklphekp.exe Jgadgf32.exe File created C:\Windows\SysWOW64\Ofonqd32.dll Process not Found File created C:\Windows\SysWOW64\Akcjcnpe.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mfjcnold.exe Mbognp32.exe File created C:\Windows\SysWOW64\Jecampmk.dll Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Giinpa32.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Adfnofpd.exe Process not Found File created C:\Windows\SysWOW64\Jhijep32.dll Process not Found File created C:\Windows\SysWOW64\Ieojgc32.exe Process not Found File created C:\Windows\SysWOW64\Ohjdgn32.dll Ogkcpbam.exe File created C:\Windows\SysWOW64\Ehcplf32.dll Process not Found File created C:\Windows\SysWOW64\Fqeioiam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nhhdnf32.exe Process not Found File created C:\Windows\SysWOW64\Hlfofiig.dll Ndcdmikd.exe File opened for modification C:\Windows\SysWOW64\Nookip32.exe Nplkmckj.exe File opened for modification C:\Windows\SysWOW64\Ciafbg32.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Empbnb32.dll Pdpmpdbd.exe File created C:\Windows\SysWOW64\Hgjbkhen.dll Hhnbpb32.exe File opened for modification C:\Windows\SysWOW64\Plagcbdn.exe Pjbkgfej.exe File created C:\Windows\SysWOW64\Iadenp32.dll Nbgcih32.exe File created C:\Windows\SysWOW64\Bqjoqdcl.dll Process not Found File created C:\Windows\SysWOW64\Anhaoj32.dll Process not Found File created C:\Windows\SysWOW64\Benlnbhb.dll Lbmhlihl.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Djaiilmd.dll Licfngjd.exe File created C:\Windows\SysWOW64\Edbiniff.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bjlgdc32.exe Bgnkhg32.exe File created C:\Windows\SysWOW64\Melmcj32.dll Oehlkc32.exe File created C:\Windows\SysWOW64\Alkijdci.exe Process not Found File created C:\Windows\SysWOW64\Afakoidm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nqmojd32.exe Process not Found File created C:\Windows\SysWOW64\Qgqeappe.exe Qqfmde32.exe File created C:\Windows\SysWOW64\Fddqghpd.exe Fafdkmap.exe File created C:\Windows\SysWOW64\Cipqnf32.dll Fnmepn32.exe File created C:\Windows\SysWOW64\Figgdg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ajfhnjhq.exe Agglboim.exe File created C:\Windows\SysWOW64\Hdlpneli.exe Hbmcbime.exe File created C:\Windows\SysWOW64\Ieliebnf.exe Inbqhhfj.exe File created C:\Windows\SysWOW64\Ciafbg32.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Jfhepbll.dll Dpnkdq32.exe File opened for modification C:\Windows\SysWOW64\Dpiplm32.exe Process not Found File created C:\Windows\SysWOW64\Cepjip32.dll Process not Found File created C:\Windows\SysWOW64\Dggbcf32.exe Process not Found File created C:\Windows\SysWOW64\Aaqfok32.dll Ibqpimpl.exe File created C:\Windows\SysWOW64\Jnnpdg32.exe Jkodhk32.exe File created C:\Windows\SysWOW64\Egcjff32.dll Djhpgofm.exe File created C:\Windows\SysWOW64\Iahlcaol.exe Ijadbdoj.exe File opened for modification C:\Windows\SysWOW64\Hpabni32.exe Hmbfbn32.exe File created C:\Windows\SysWOW64\Mlihmi32.dll Process not Found File created C:\Windows\SysWOW64\Anclbkbp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njhgbp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pnlaml32.exe Ofeilobp.exe File created C:\Windows\SysWOW64\Cmkkkihe.dll Egdqae32.exe File opened for modification C:\Windows\SysWOW64\Ggnlobej.exe Gdppbfff.exe File created C:\Windows\SysWOW64\Inojnf32.dll Llbidimc.exe File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Giqkkf32.exe File opened for modification C:\Windows\SysWOW64\Pkadoiip.exe Plndcl32.exe File opened for modification C:\Windows\SysWOW64\Dimenegi.exe Dfoiaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16260 17752 Process not Found 1940 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcqiope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goedpofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afghneoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjgaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfogeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knefeffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfjeobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbplc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npedmdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knlleepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijchhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofmfmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfcndce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgljmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhmmjbkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdncmghi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghoeqmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chagok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqqlgem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnpppkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hheoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ageolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfodbqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebommi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamhhedg.dll" Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bppfmigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghane32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfbhfmf.dll" Alqjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgllk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdohflaf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjeoglgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leadnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjedffig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcmbee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlofiddl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbnoffm.dll" Jblpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnhghcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignmpke.dll" Inbqhhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflgmqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aodfajaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajndioga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmedh32.dll" Alnmjjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffonbfe.dll" Ikcdlmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nookip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipinkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbogmdb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 5016 1624 c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe 82 PID 1624 wrote to memory of 5016 1624 c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe 82 PID 1624 wrote to memory of 5016 1624 c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe 82 PID 5016 wrote to memory of 964 5016 Dohfbj32.exe 83 PID 5016 wrote to memory of 964 5016 Dohfbj32.exe 83 PID 5016 wrote to memory of 964 5016 Dohfbj32.exe 83 PID 964 wrote to memory of 1260 964 Deanodkh.exe 84 PID 964 wrote to memory of 1260 964 Deanodkh.exe 84 PID 964 wrote to memory of 1260 964 Deanodkh.exe 84 PID 1260 wrote to memory of 3312 1260 Dhpjkojk.exe 85 PID 1260 wrote to memory of 3312 1260 Dhpjkojk.exe 85 PID 1260 wrote to memory of 3312 1260 Dhpjkojk.exe 85 PID 3312 wrote to memory of 4656 3312 Dkoggkjo.exe 86 PID 3312 wrote to memory of 4656 3312 Dkoggkjo.exe 86 PID 3312 wrote to memory of 4656 3312 Dkoggkjo.exe 86 PID 4656 wrote to memory of 1976 4656 Dceohhja.exe 87 PID 4656 wrote to memory of 1976 4656 Dceohhja.exe 87 PID 4656 wrote to memory of 1976 4656 Dceohhja.exe 87 PID 1976 wrote to memory of 3428 1976 Ddgkpp32.exe 88 PID 1976 wrote to memory of 3428 1976 Ddgkpp32.exe 88 PID 1976 wrote to memory of 3428 1976 Ddgkpp32.exe 88 PID 3428 wrote to memory of 1932 3428 Dlncan32.exe 89 PID 3428 wrote to memory of 1932 3428 Dlncan32.exe 89 PID 3428 wrote to memory of 1932 3428 Dlncan32.exe 89 PID 1932 wrote to memory of 2780 1932 Echknh32.exe 90 PID 1932 wrote to memory of 2780 1932 Echknh32.exe 90 PID 1932 wrote to memory of 2780 1932 Echknh32.exe 90 PID 2780 wrote to memory of 4852 2780 Edihepnm.exe 91 PID 2780 wrote to memory of 4852 2780 Edihepnm.exe 91 PID 2780 wrote to memory of 4852 2780 Edihepnm.exe 91 PID 4852 wrote to memory of 1708 4852 Elppfmoo.exe 92 PID 4852 wrote to memory of 1708 4852 Elppfmoo.exe 92 PID 4852 wrote to memory of 1708 4852 Elppfmoo.exe 92 PID 1708 wrote to memory of 4028 1708 Ecjhcg32.exe 93 PID 1708 wrote to memory of 4028 1708 Ecjhcg32.exe 93 PID 1708 wrote to memory of 4028 1708 Ecjhcg32.exe 93 PID 4028 wrote to memory of 4260 4028 Edkdkplj.exe 94 PID 4028 wrote to memory of 4260 4028 Edkdkplj.exe 94 PID 4028 wrote to memory of 4260 4028 Edkdkplj.exe 94 PID 4260 wrote to memory of 2768 4260 Elbmlmml.exe 95 PID 4260 wrote to memory of 2768 4260 Elbmlmml.exe 95 PID 4260 wrote to memory of 2768 4260 Elbmlmml.exe 95 PID 2768 wrote to memory of 3104 2768 Eekaebcm.exe 96 PID 2768 wrote to memory of 3104 2768 Eekaebcm.exe 96 PID 2768 wrote to memory of 3104 2768 Eekaebcm.exe 96 PID 3104 wrote to memory of 1208 3104 Eocenh32.exe 97 PID 3104 wrote to memory of 1208 3104 Eocenh32.exe 97 PID 3104 wrote to memory of 1208 3104 Eocenh32.exe 97 PID 1208 wrote to memory of 2308 1208 Eabbjc32.exe 98 PID 1208 wrote to memory of 2308 1208 Eabbjc32.exe 98 PID 1208 wrote to memory of 2308 1208 Eabbjc32.exe 98 PID 2308 wrote to memory of 2524 2308 Ekjfcipa.exe 99 PID 2308 wrote to memory of 2524 2308 Ekjfcipa.exe 99 PID 2308 wrote to memory of 2524 2308 Ekjfcipa.exe 99 PID 2524 wrote to memory of 4508 2524 Eepjpb32.exe 100 PID 2524 wrote to memory of 4508 2524 Eepjpb32.exe 100 PID 2524 wrote to memory of 4508 2524 Eepjpb32.exe 100 PID 4508 wrote to memory of 4344 4508 Fljcmlfd.exe 101 PID 4508 wrote to memory of 4344 4508 Fljcmlfd.exe 101 PID 4508 wrote to memory of 4344 4508 Fljcmlfd.exe 101 PID 4344 wrote to memory of 1224 4344 Fcckif32.exe 102 PID 4344 wrote to memory of 1224 4344 Fcckif32.exe 102 PID 4344 wrote to memory of 1224 4344 Fcckif32.exe 102 PID 1224 wrote to memory of 532 1224 Fhqcam32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe"C:\Users\Admin\AppData\Local\Temp\c6ae7b1b634825861ce7aee221d71e0464160aaace4082e0ab58796ae2da4497N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe23⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe24⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe25⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe26⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe27⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe28⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe29⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe30⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe31⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe32⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe33⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe34⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe35⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe36⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe37⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe39⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe40⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe42⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe43⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe44⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe45⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe46⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe47⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe48⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe49⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe50⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe51⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Hecmijim.exeC:\Windows\system32\Hecmijim.exe53⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe54⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe56⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe57⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Ibjjhn32.exeC:\Windows\system32\Ibjjhn32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe59⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe60⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe61⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe62⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Ildkgc32.exeC:\Windows\system32\Ildkgc32.exe63⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe64⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\Iemppiab.exeC:\Windows\system32\Iemppiab.exe65⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe66⤵PID:3004
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe67⤵PID:4484
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe68⤵
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe69⤵PID:4700
-
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe70⤵PID:1524
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe71⤵PID:2500
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe72⤵PID:2928
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe73⤵PID:4336
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe74⤵PID:4816
-
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe75⤵PID:868
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe76⤵PID:3680
-
C:\Windows\SysWOW64\Jfcbjk32.exeC:\Windows\system32\Jfcbjk32.exe77⤵PID:4436
-
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe78⤵PID:2008
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe79⤵PID:2792
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe80⤵PID:2156
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe81⤵PID:3744
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe82⤵PID:856
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe83⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe84⤵PID:3056
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe85⤵PID:912
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe86⤵PID:2512
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe87⤵PID:3260
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe88⤵PID:4164
-
C:\Windows\SysWOW64\Kbaipkbi.exeC:\Windows\system32\Kbaipkbi.exe89⤵PID:5052
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe90⤵PID:4356
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe91⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Kfoafi32.exeC:\Windows\system32\Kfoafi32.exe92⤵PID:3608
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe93⤵PID:4080
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe94⤵PID:4964
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe95⤵PID:3224
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe96⤵PID:1472
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe97⤵PID:2368
-
C:\Windows\SysWOW64\Kbhoqj32.exeC:\Windows\system32\Kbhoqj32.exe98⤵PID:1680
-
C:\Windows\SysWOW64\Kefkme32.exeC:\Windows\system32\Kefkme32.exe99⤵PID:4776
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe100⤵PID:388
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe101⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe102⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\Liddbc32.exeC:\Windows\system32\Liddbc32.exe103⤵PID:2892
-
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe104⤵PID:3824
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe105⤵PID:2336
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe106⤵
- Drops file in System32 directory
PID:5092 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe107⤵PID:5084
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe108⤵PID:1092
-
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe109⤵PID:3908
-
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe110⤵PID:4812
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe111⤵PID:2300
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe112⤵PID:1180
-
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe113⤵PID:5148
-
C:\Windows\SysWOW64\Likjcbkc.exeC:\Windows\system32\Likjcbkc.exe114⤵PID:5192
-
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe115⤵PID:5236
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe116⤵PID:5280
-
C:\Windows\SysWOW64\Lebkhc32.exeC:\Windows\system32\Lebkhc32.exe117⤵PID:5324
-
C:\Windows\SysWOW64\Lmiciaaj.exeC:\Windows\system32\Lmiciaaj.exe118⤵PID:5368
-
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe119⤵PID:5412
-
C:\Windows\SysWOW64\Mgagbf32.exeC:\Windows\system32\Mgagbf32.exe120⤵PID:5456
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe121⤵PID:5500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-