Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 00:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe
-
Size
96KB
-
MD5
a92af33264aa44408a26d93d9b807d9f
-
SHA1
08653a527af234c018fd2b1b11c5f7a2272fd87e
-
SHA256
9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19
-
SHA512
7caf5e1234953f4e8f02063772e29aabfe46ff346b47d60eb384a367629f7bbe0d8169a648b9960203dcec006919fb91177569f9895495f5a8705517625a2505
-
SSDEEP
1536:DNI9kysRsQ0xHUZAVlPHpXKs6WzVWOcE2Ls7RZObZUUWaegPYA:JI2ysRsQ0GZAF6s6WzMOCsClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgjdibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbhdojn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmejlcoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpbkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgqag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipqibmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkpmgjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpkhjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoiihcde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedbcebd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogdofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdjicmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbnnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgdgijhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejnlpai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilfldoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddqejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abipfifn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmbgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcepbooa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onakco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmonbbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejeebpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acppddig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqebaog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppccemjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfcflfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokgmpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foqdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggpfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfcqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbkja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcaoahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkigbfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqkkcghn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjhkmbho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggocbke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdfho32.exe -
Executes dropped EXE 64 IoCs
pid Process 1924 Ipgkjlmg.exe 4824 Ieccbbkn.exe 3024 Iiopca32.exe 4612 Ilnlom32.exe 2492 Ibgdlg32.exe 3108 Iialhaad.exe 4120 Jaajhb32.exe 2320 Jlgoek32.exe 4760 Jbagbebm.exe 2856 Jikoopij.exe 4480 Johggfha.exe 760 Jpgdai32.exe 3812 Kiphjo32.exe 3304 Kpiqfima.exe 1720 Kakmna32.exe 4880 Klpakj32.exe 3856 Kcjjhdjb.exe 1912 Khgbqkhj.exe 5088 Klbnajqc.exe 3092 Kcmfnd32.exe 4180 Kapfiqoj.exe 2864 Kpqggh32.exe 4432 Kcoccc32.exe 4928 Kemooo32.exe 2008 Klggli32.exe 656 Kadpdp32.exe 2460 Lhnhajba.exe 4376 Lafmjp32.exe 1996 Lpgmhg32.exe 1040 Laiipofp.exe 428 Llnnmhfe.exe 1528 Loofnccf.exe 2952 Loacdc32.exe 4272 Mjggal32.exe 1580 Mpclce32.exe 704 Mjlalkmd.exe 1080 Mhoahh32.exe 1832 Mohidbkl.exe 4912 Mjnnbk32.exe 3852 Mqhfoebo.exe 2684 Mqjbddpl.exe 1184 Nmaciefp.exe 3380 Noppeaed.exe 376 Nhhdnf32.exe 4260 Ncmhko32.exe 3020 Nmfmde32.exe 5016 Nbbeml32.exe 2804 Nimmifgo.exe 3444 Nofefp32.exe 768 Niojoeel.exe 3056 Ocdnln32.exe 2236 Oiagde32.exe 3332 Oqhoeb32.exe 1520 Ojqcnhkl.exe 2840 Oqklkbbi.exe 908 Ofgdcipq.exe 1904 Oqmhqapg.exe 2232 Ofjqihnn.exe 3816 Oqoefand.exe 3008 Obqanjdb.exe 1372 Omfekbdh.exe 5096 Ppdbgncl.exe 1836 Pbcncibp.exe 1700 Ppgomnai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ofgbflng.dll Mfofjk32.exe File opened for modification C:\Windows\SysWOW64\Dnmgni32.exe Dgcoaock.exe File created C:\Windows\SysWOW64\Ionbcb32.exe Iefnjm32.exe File opened for modification C:\Windows\SysWOW64\Bmggingc.exe Bjhkmbho.exe File created C:\Windows\SysWOW64\Hkjohi32.exe Hqdkkp32.exe File created C:\Windows\SysWOW64\Idjcam32.dll Lddble32.exe File created C:\Windows\SysWOW64\Pbfjjlgc.exe Pnknim32.exe File created C:\Windows\SysWOW64\Oinbgk32.exe Okkalnjm.exe File opened for modification C:\Windows\SysWOW64\Qbkcek32.exe Qkakhakq.exe File opened for modification C:\Windows\SysWOW64\Gllajf32.exe Gebimmco.exe File opened for modification C:\Windows\SysWOW64\Lglcag32.exe Lmfodn32.exe File opened for modification C:\Windows\SysWOW64\Igmjhnej.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dcpffk32.exe Process not Found File created C:\Windows\SysWOW64\Ojkkah32.exe Opefdo32.exe File opened for modification C:\Windows\SysWOW64\Niadfpcn.exe Process not Found File created C:\Windows\SysWOW64\Fjcjpb32.exe Process not Found File created C:\Windows\SysWOW64\Oogbel32.dll Process not Found File created C:\Windows\SysWOW64\Mgccelpk.dll Mjnnbk32.exe File created C:\Windows\SysWOW64\Dalofi32.exe Dckoia32.exe File opened for modification C:\Windows\SysWOW64\Oamgcm32.exe Onakco32.exe File opened for modification C:\Windows\SysWOW64\Ffcedd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fplimi32.exe Process not Found File created C:\Windows\SysWOW64\Mkfnlmkl.exe Process not Found File created C:\Windows\SysWOW64\Ghcjedcj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dgdgijhp.exe Dlncla32.exe File created C:\Windows\SysWOW64\Hnlgemnf.dll Dkehlo32.exe File created C:\Windows\SysWOW64\Iajkohmj.exe Process not Found File created C:\Windows\SysWOW64\Bnmpgabd.dll Process not Found File created C:\Windows\SysWOW64\Kemooo32.exe Kcoccc32.exe File opened for modification C:\Windows\SysWOW64\Icdhdfcj.exe Ikmpcicg.exe File created C:\Windows\SysWOW64\Clmbea32.dll Jjbjlpga.exe File created C:\Windows\SysWOW64\Kapfiqoj.exe Kcmfnd32.exe File created C:\Windows\SysWOW64\Loofnccf.exe Llnnmhfe.exe File created C:\Windows\SysWOW64\Bmidnm32.exe Bpedeiff.exe File opened for modification C:\Windows\SysWOW64\Gjcmngnj.exe Gcjdam32.exe File created C:\Windows\SysWOW64\Ajepci32.dll Gojgkl32.exe File created C:\Windows\SysWOW64\Gbjlkd32.dll Fdpnda32.exe File created C:\Windows\SysWOW64\Pohqjpee.dll Iggocbke.exe File created C:\Windows\SysWOW64\Miqlpbap.exe Process not Found File created C:\Windows\SysWOW64\Aofbkbfe.dll Pbbgicnd.exe File created C:\Windows\SysWOW64\Ibdgjl32.dll Hcgjhega.exe File created C:\Windows\SysWOW64\Ofgdcipq.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Fhiinbdo.exe Faopah32.exe File created C:\Windows\SysWOW64\Hjlddclp.dll Process not Found File created C:\Windows\SysWOW64\Bjhkmbho.exe Bfmolc32.exe File created C:\Windows\SysWOW64\Ngcdji32.dll Ebokodfc.exe File opened for modification C:\Windows\SysWOW64\Decmjjie.exe Dnienqbi.exe File created C:\Windows\SysWOW64\Eghdmn32.dll Liofdigo.exe File opened for modification C:\Windows\SysWOW64\Efopjbjg.exe Epehnhbj.exe File created C:\Windows\SysWOW64\Ohcakk32.dll Fgcjea32.exe File created C:\Windows\SysWOW64\Dgmpkg32.exe Dbphcpog.exe File created C:\Windows\SysWOW64\Gjqinamq.exe Gcgqag32.exe File opened for modification C:\Windows\SysWOW64\Cnlpgibd.exe Becknc32.exe File created C:\Windows\SysWOW64\Kciaqi32.exe Kmpido32.exe File opened for modification C:\Windows\SysWOW64\Cleqfb32.exe Cifdjg32.exe File opened for modification C:\Windows\SysWOW64\Najagp32.exe Nolekd32.exe File created C:\Windows\SysWOW64\Oefaplcm.dll Fochecog.exe File created C:\Windows\SysWOW64\Ipcakd32.exe Process not Found File created C:\Windows\SysWOW64\Ebldoh32.dll Dinjjf32.exe File opened for modification C:\Windows\SysWOW64\Pjgemi32.exe Opopdd32.exe File opened for modification C:\Windows\SysWOW64\Pbdmdlie.exe Poeahaib.exe File created C:\Windows\SysWOW64\Igokfd32.dll Pcaoahio.exe File created C:\Windows\SysWOW64\Lnanadfi.exe Process not Found File created C:\Windows\SysWOW64\Jkfood32.dll Jbppgona.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14208 2712 Process not Found 1407 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mankaked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkiiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklpaeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjbddpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajfdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbbgicnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kciaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafbmgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdfoala.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaiac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeailhme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcddkggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqlhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigkdmel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpemkcck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqnemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enopghee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbppgona.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfghlhmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpibdam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiaepfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmanljfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helkdnaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjjgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllajf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miklkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqphic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjeklfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjdkda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoioabf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmplkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ononmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agobna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbblhnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqdkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaogfai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbamdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deidjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkeekag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poeahaib.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflcnanp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqfqfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqigigj.dll" Cppelkeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjphoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbeqaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbinhfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegndm32.dll" Fpoaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopabjci.dll" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhelp32.dll" Ljephmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdocph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbphcpog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkgceeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebfmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccibof.dll" Hklpaeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbifd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fepbfj32.dll" Miipencp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamlhdea.dll" Dnienqbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccokj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpnapfn.dll" Gchflq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpdogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcdcbcl.dll" Cjfclcpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eacaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piapkbeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjmfj32.dll" Lmgfod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miipencp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepgghpg.dll" Adpogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmegdjkj.dll" Fejegaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmhgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efampahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgqag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkbabje.dll" Cjlilndf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Fnhbmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkppikoe.dll" Kilphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mminfech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Decdeama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhdkp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famnbgil.dll" Abgjkpll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgkmjog.dll" Adbkmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaglma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfbcndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdomkjem.dll" Fgffka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhpajlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbmfk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Pbcncibp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlncla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnhfn32.dll" Gcgqag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjmggij.dll" Ainnhdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapfiqoj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 1924 432 9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe 89 PID 432 wrote to memory of 1924 432 9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe 89 PID 432 wrote to memory of 1924 432 9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe 89 PID 1924 wrote to memory of 4824 1924 Ipgkjlmg.exe 90 PID 1924 wrote to memory of 4824 1924 Ipgkjlmg.exe 90 PID 1924 wrote to memory of 4824 1924 Ipgkjlmg.exe 90 PID 4824 wrote to memory of 3024 4824 Ieccbbkn.exe 91 PID 4824 wrote to memory of 3024 4824 Ieccbbkn.exe 91 PID 4824 wrote to memory of 3024 4824 Ieccbbkn.exe 91 PID 3024 wrote to memory of 4612 3024 Iiopca32.exe 92 PID 3024 wrote to memory of 4612 3024 Iiopca32.exe 92 PID 3024 wrote to memory of 4612 3024 Iiopca32.exe 92 PID 4612 wrote to memory of 2492 4612 Ilnlom32.exe 93 PID 4612 wrote to memory of 2492 4612 Ilnlom32.exe 93 PID 4612 wrote to memory of 2492 4612 Ilnlom32.exe 93 PID 2492 wrote to memory of 3108 2492 Ibgdlg32.exe 94 PID 2492 wrote to memory of 3108 2492 Ibgdlg32.exe 94 PID 2492 wrote to memory of 3108 2492 Ibgdlg32.exe 94 PID 3108 wrote to memory of 4120 3108 Iialhaad.exe 95 PID 3108 wrote to memory of 4120 3108 Iialhaad.exe 95 PID 3108 wrote to memory of 4120 3108 Iialhaad.exe 95 PID 4120 wrote to memory of 2320 4120 Jaajhb32.exe 96 PID 4120 wrote to memory of 2320 4120 Jaajhb32.exe 96 PID 4120 wrote to memory of 2320 4120 Jaajhb32.exe 96 PID 2320 wrote to memory of 4760 2320 Jlgoek32.exe 97 PID 2320 wrote to memory of 4760 2320 Jlgoek32.exe 97 PID 2320 wrote to memory of 4760 2320 Jlgoek32.exe 97 PID 4760 wrote to memory of 2856 4760 Jbagbebm.exe 98 PID 4760 wrote to memory of 2856 4760 Jbagbebm.exe 98 PID 4760 wrote to memory of 2856 4760 Jbagbebm.exe 98 PID 2856 wrote to memory of 4480 2856 Jikoopij.exe 99 PID 2856 wrote to memory of 4480 2856 Jikoopij.exe 99 PID 2856 wrote to memory of 4480 2856 Jikoopij.exe 99 PID 4480 wrote to memory of 760 4480 Johggfha.exe 100 PID 4480 wrote to memory of 760 4480 Johggfha.exe 100 PID 4480 wrote to memory of 760 4480 Johggfha.exe 100 PID 760 wrote to memory of 3812 760 Jpgdai32.exe 101 PID 760 wrote to memory of 3812 760 Jpgdai32.exe 101 PID 760 wrote to memory of 3812 760 Jpgdai32.exe 101 PID 3812 wrote to memory of 3304 3812 Kiphjo32.exe 102 PID 3812 wrote to memory of 3304 3812 Kiphjo32.exe 102 PID 3812 wrote to memory of 3304 3812 Kiphjo32.exe 102 PID 3304 wrote to memory of 1720 3304 Kpiqfima.exe 103 PID 3304 wrote to memory of 1720 3304 Kpiqfima.exe 103 PID 3304 wrote to memory of 1720 3304 Kpiqfima.exe 103 PID 1720 wrote to memory of 4880 1720 Kakmna32.exe 104 PID 1720 wrote to memory of 4880 1720 Kakmna32.exe 104 PID 1720 wrote to memory of 4880 1720 Kakmna32.exe 104 PID 4880 wrote to memory of 3856 4880 Klpakj32.exe 105 PID 4880 wrote to memory of 3856 4880 Klpakj32.exe 105 PID 4880 wrote to memory of 3856 4880 Klpakj32.exe 105 PID 3856 wrote to memory of 1912 3856 Kcjjhdjb.exe 106 PID 3856 wrote to memory of 1912 3856 Kcjjhdjb.exe 106 PID 3856 wrote to memory of 1912 3856 Kcjjhdjb.exe 106 PID 1912 wrote to memory of 5088 1912 Khgbqkhj.exe 107 PID 1912 wrote to memory of 5088 1912 Khgbqkhj.exe 107 PID 1912 wrote to memory of 5088 1912 Khgbqkhj.exe 107 PID 5088 wrote to memory of 3092 5088 Klbnajqc.exe 108 PID 5088 wrote to memory of 3092 5088 Klbnajqc.exe 108 PID 5088 wrote to memory of 3092 5088 Klbnajqc.exe 108 PID 3092 wrote to memory of 4180 3092 Kcmfnd32.exe 109 PID 3092 wrote to memory of 4180 3092 Kcmfnd32.exe 109 PID 3092 wrote to memory of 4180 3092 Kcmfnd32.exe 109 PID 4180 wrote to memory of 2864 4180 Kapfiqoj.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe"C:\Users\Admin\AppData\Local\Temp\9eeebbf5dd3068a1cfe1fbe60b6696fbcb9c3b97257b5306948c4d0df88eea19.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Ipgkjlmg.exeC:\Windows\system32\Ipgkjlmg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Iiopca32.exeC:\Windows\system32\Iiopca32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Ilnlom32.exeC:\Windows\system32\Ilnlom32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Ibgdlg32.exeC:\Windows\system32\Ibgdlg32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Iialhaad.exeC:\Windows\system32\Iialhaad.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Jaajhb32.exeC:\Windows\system32\Jaajhb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Jlgoek32.exeC:\Windows\system32\Jlgoek32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jbagbebm.exeC:\Windows\system32\Jbagbebm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Johggfha.exeC:\Windows\system32\Johggfha.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Kpiqfima.exeC:\Windows\system32\Kpiqfima.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Kakmna32.exeC:\Windows\system32\Kakmna32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Khgbqkhj.exeC:\Windows\system32\Khgbqkhj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe23⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Kemooo32.exeC:\Windows\system32\Kemooo32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Klggli32.exeC:\Windows\system32\Klggli32.exe26⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe27⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe28⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lafmjp32.exeC:\Windows\system32\Lafmjp32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe31⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:428 -
C:\Windows\SysWOW64\Loofnccf.exeC:\Windows\system32\Loofnccf.exe33⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe34⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe35⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Mpclce32.exeC:\Windows\system32\Mpclce32.exe36⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mjlalkmd.exeC:\Windows\system32\Mjlalkmd.exe37⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe38⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe39⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4912 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe41⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Mqjbddpl.exeC:\Windows\system32\Mqjbddpl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Nmaciefp.exeC:\Windows\system32\Nmaciefp.exe43⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Noppeaed.exeC:\Windows\system32\Noppeaed.exe44⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe45⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe46⤵
- Executes dropped EXE
PID:4260 -
C:\Windows\SysWOW64\Nmfmde32.exeC:\Windows\system32\Nmfmde32.exe47⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Nbbeml32.exeC:\Windows\system32\Nbbeml32.exe48⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe49⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nofefp32.exeC:\Windows\system32\Nofefp32.exe50⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Niojoeel.exeC:\Windows\system32\Niojoeel.exe51⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ocdnln32.exeC:\Windows\system32\Ocdnln32.exe52⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Oiagde32.exeC:\Windows\system32\Oiagde32.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe54⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Ojqcnhkl.exeC:\Windows\system32\Ojqcnhkl.exe55⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe57⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Oqmhqapg.exeC:\Windows\system32\Oqmhqapg.exe58⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe59⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Oqoefand.exeC:\Windows\system32\Oqoefand.exe60⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Obqanjdb.exeC:\Windows\system32\Obqanjdb.exe61⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe62⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ppdbgncl.exeC:\Windows\system32\Ppdbgncl.exe63⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Pbcncibp.exeC:\Windows\system32\Pbcncibp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe65⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe66⤵PID:3484
-
C:\Windows\SysWOW64\Piocecgj.exeC:\Windows\system32\Piocecgj.exe67⤵PID:3828
-
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe68⤵PID:4692
-
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe69⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe70⤵PID:3392
-
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe71⤵PID:4648
-
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe72⤵PID:2564
-
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe73⤵PID:4448
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe74⤵PID:4548
-
C:\Windows\SysWOW64\Qapnmopa.exeC:\Windows\system32\Qapnmopa.exe75⤵PID:216
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe76⤵PID:4792
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe78⤵PID:1716
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe79⤵
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Afappe32.exeC:\Windows\system32\Afappe32.exe80⤵PID:3748
-
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe81⤵PID:4296
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe82⤵PID:2200
-
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe83⤵PID:3204
-
C:\Windows\SysWOW64\Abjmkf32.exeC:\Windows\system32\Abjmkf32.exe84⤵PID:2336
-
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe85⤵PID:4428
-
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe86⤵PID:5144
-
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe87⤵PID:5188
-
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe88⤵PID:5240
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe89⤵
- Modifies registry class
PID:5316 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe90⤵
- Drops file in System32 directory
PID:5364 -
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe92⤵PID:5452
-
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe93⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe94⤵PID:5540
-
C:\Windows\SysWOW64\Bkmeha32.exeC:\Windows\system32\Bkmeha32.exe95⤵PID:5584
-
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe96⤵PID:5628
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe97⤵PID:5672
-
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5716 -
C:\Windows\SysWOW64\Cajjjk32.exeC:\Windows\system32\Cajjjk32.exe99⤵PID:5760
-
C:\Windows\SysWOW64\Ckbncapd.exeC:\Windows\system32\Ckbncapd.exe100⤵PID:5800
-
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe101⤵PID:5844
-
C:\Windows\SysWOW64\Cdjblf32.exeC:\Windows\system32\Cdjblf32.exe102⤵PID:5888
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe103⤵
- System Location Discovery: System Language Discovery
PID:5932 -
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe104⤵PID:5976
-
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe105⤵PID:6016
-
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe106⤵PID:6060
-
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe107⤵PID:6104
-
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe108⤵PID:4408
-
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe109⤵PID:5176
-
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe110⤵PID:5252
-
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe111⤵PID:5372
-
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe112⤵PID:5444
-
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Dphiaffa.exeC:\Windows\system32\Dphiaffa.exe114⤵PID:5596
-
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe115⤵PID:5664
-
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe116⤵PID:5744
-
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe117⤵PID:5820
-
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe118⤵PID:5880
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe119⤵PID:5984
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe120⤵PID:6072
-
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe121⤵PID:5164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-