Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 11:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe
-
Size
62KB
-
MD5
5d683cd8d1709bf2178ca9f3f0dfed10
-
SHA1
128a47288b95b988879b6e6c95eaf2e7d5c1b282
-
SHA256
c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911
-
SHA512
6af3ccb761df25d84daacacdcec373024fe149030d2df669c8512e6b92adb10622378f74ea9274c6a1912a7eb02b9ac562529ca5f6f1e997156a4ba05ea300a3
-
SSDEEP
1536:sn2GqZIeH5dSbTflQRo1MbLEj+Q1ysAve8Cy:vZIeH5d6TNQRoqL6PAve8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpfqcln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mniallpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oondnini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkihnmhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmpfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkofdbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odalmibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldhfpib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmniml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofaiokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedlgbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenicahg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpofnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcqnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhjcchb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbognp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdafkdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbelcblk.exe -
Executes dropped EXE 64 IoCs
pid Process 2724 Gnfhfl32.exe 1196 Gempgj32.exe 3164 Gdppbfff.exe 848 Ghklce32.exe 3020 Goedpofl.exe 1528 Gadqlkep.exe 1508 Gdbmhf32.exe 2824 Ggqida32.exe 2472 Gnkaalkd.exe 2272 Gfbibikg.exe 3112 Ghpendjj.exe 2804 Gojnko32.exe 4576 Gfdfgiid.exe 4796 Ghbbcd32.exe 532 Hakgmjoh.exe 3884 Hheoid32.exe 4808 Hkckeo32.exe 368 Hbmcbime.exe 1376 Hhgloc32.exe 4504 Hkehkocf.exe 3736 Hbpphi32.exe 1948 Hhihdcbp.exe 3808 Hocqam32.exe 3272 Hbbmmi32.exe 4116 Hhlejcpm.exe 4528 Hkjafn32.exe 4384 Hbdjchgn.exe 4856 Hhnbpb32.exe 1816 Iohjlmeg.exe 4344 Ibffhhek.exe 1468 Idebdcdo.exe 1496 Iokgal32.exe 2580 Inmgmijo.exe 2552 Ifdonfka.exe 3512 Igjeanmj.exe 5080 Ioambknl.exe 4488 Ibpiogmp.exe 4408 Ienekbld.exe 2820 Igmagnkg.exe 3724 Jilnqqbj.exe 2996 Jnifigpa.exe 4452 Jkmgblok.exe 2460 Jgdhgmep.exe 2508 Jnnpdg32.exe 4840 Jicdap32.exe 4080 Jpmlnjco.exe 1100 Jfgdkd32.exe 4172 Jghabl32.exe 744 Knbiofhg.exe 1016 Kelalp32.exe 1412 Klfjijgq.exe 2548 Kbpbed32.exe 3696 Keonap32.exe 1940 Khmknk32.exe 3100 Kpdboimg.exe 4412 Kngcje32.exe 552 Kbbokdlk.exe 3588 Keakgpko.exe 1788 Khpgckkb.exe 1396 Klkcdj32.exe 1928 Knippe32.exe 3032 Kechmoil.exe 3460 Kiodmn32.exe 2404 Knlleepl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdbpgl32.exe Process not Found File created C:\Windows\SysWOW64\Noiilpik.dll Bppfmigl.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kglmio32.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Process not Found File created C:\Windows\SysWOW64\Hmjbog32.dll Process not Found File created C:\Windows\SysWOW64\Npakijcp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cpeohh32.exe Cmfclm32.exe File created C:\Windows\SysWOW64\Lgpoihnl.exe Process not Found File created C:\Windows\SysWOW64\Hbgkei32.exe Process not Found File created C:\Windows\SysWOW64\Lajlbmed.dll Kdpmbc32.exe File created C:\Windows\SysWOW64\Lpghll32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Amjbbfgo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gbkkik32.exe Process not Found File created C:\Windows\SysWOW64\Oifppdpd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npgabc32.exe Nhpiafnm.exe File opened for modification C:\Windows\SysWOW64\Nklbmllg.exe Nhmeapmd.exe File opened for modification C:\Windows\SysWOW64\Gpecbk32.exe Gljgbllj.exe File opened for modification C:\Windows\SysWOW64\Jocgnlha.dll Qaalblgi.exe File opened for modification C:\Windows\SysWOW64\Ifomll32.exe Iohejo32.exe File created C:\Windows\SysWOW64\Ojhpimhp.exe Process not Found File created C:\Windows\SysWOW64\Eohmkb32.exe Process not Found File created C:\Windows\SysWOW64\Onnnbnbp.dll Process not Found File created C:\Windows\SysWOW64\Ibffdoal.dll Ocffempp.exe File created C:\Windows\SysWOW64\Jdgafjpn.exe Jnmijq32.exe File created C:\Windows\SysWOW64\Gghocf32.dll Nkqkhk32.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jhifomdj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gehbjm32.exe Fbjena32.exe File created C:\Windows\SysWOW64\Mlnipg32.exe Miomdk32.exe File created C:\Windows\SysWOW64\Hahohdla.dll Neccpd32.exe File created C:\Windows\SysWOW64\Enabbk32.dll Ebhglj32.exe File created C:\Windows\SysWOW64\Emanjldl.exe Eejeiocj.exe File opened for modification C:\Windows\SysWOW64\Enbjad32.exe Emanjldl.exe File created C:\Windows\SysWOW64\Pmikmcgp.dll Process not Found File created C:\Windows\SysWOW64\Amcehdod.exe Process not Found File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Oigllh32.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cfogeb32.exe File created C:\Windows\SysWOW64\Kbglnn32.dll Inainbcn.exe File created C:\Windows\SysWOW64\Ialjan32.dll Eicedn32.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Process not Found File created C:\Windows\SysWOW64\Pmlfqh32.exe Process not Found File created C:\Windows\SysWOW64\Inmdohhp.dll Process not Found File created C:\Windows\SysWOW64\Gdhkdfdh.dll Jghabl32.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Elpkep32.exe File created C:\Windows\SysWOW64\Ncgjlnfh.dll Kdmqmc32.exe File created C:\Windows\SysWOW64\Dnajppda.exe Process not Found File created C:\Windows\SysWOW64\Mpiedk32.dll Process not Found File created C:\Windows\SysWOW64\Filclgic.dll Geaepk32.exe File opened for modification C:\Windows\SysWOW64\Mjcngpjh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dhphmj32.exe Process not Found File created C:\Windows\SysWOW64\Haafcb32.exe Hjjnae32.exe File created C:\Windows\SysWOW64\Bmlilh32.exe Bfbaonae.exe File opened for modification C:\Windows\SysWOW64\Hpnoncim.exe Hlbcnd32.exe File created C:\Windows\SysWOW64\Clchbqoo.exe Cdlqqcnl.exe File opened for modification C:\Windows\SysWOW64\Mjaabq32.exe Process not Found File created C:\Windows\SysWOW64\Fdnhih32.exe Process not Found File created C:\Windows\SysWOW64\Ioenpjfm.dll Bheffh32.exe File created C:\Windows\SysWOW64\Gdcliikj.exe Glldgljg.exe File opened for modification C:\Windows\SysWOW64\Mcjmel32.exe Malpia32.exe File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nbefdijg.exe File created C:\Windows\SysWOW64\Fnadil32.dll Efblbbqd.exe File created C:\Windows\SysWOW64\Iheocj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bfhadc32.exe Bciehh32.exe File created C:\Windows\SysWOW64\Gdbnag32.dll Eipinkib.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9712 10760 Process not Found 1583 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flpmagqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiepjga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginecde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpgfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabhdinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhlkilba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgfkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgejpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpofnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oampjeml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emphocjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mplafeil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkblhfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpimlfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhfpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfendmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmingjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjmoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqodfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaopfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhcmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjemflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bidqko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgenbfoa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmhebph.dll" Bgnkhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neogjl32.dll" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhlpmmgb.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihipdhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Iinjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqmkae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlhljhbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppipkl32.dll" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll" Nhdlao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpfhnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjpll32.dll" Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobfem32.dll" Jilnqqbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihaoqlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjjocap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecffa32.dll" Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glengm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpiafnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfbaonae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blciboie.dll" Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijqqd32.dll" Hlpfhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjebhadm.dll" Qohpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemlnm32.dll" Ggahedjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akffafgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcllei32.dll" Cglgjeci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjbogmdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ploija32.dll" Aobilkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olealnbk.dll" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2724 1364 c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe 83 PID 1364 wrote to memory of 2724 1364 c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe 83 PID 1364 wrote to memory of 2724 1364 c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe 83 PID 2724 wrote to memory of 1196 2724 Gnfhfl32.exe 84 PID 2724 wrote to memory of 1196 2724 Gnfhfl32.exe 84 PID 2724 wrote to memory of 1196 2724 Gnfhfl32.exe 84 PID 1196 wrote to memory of 3164 1196 Gempgj32.exe 85 PID 1196 wrote to memory of 3164 1196 Gempgj32.exe 85 PID 1196 wrote to memory of 3164 1196 Gempgj32.exe 85 PID 3164 wrote to memory of 848 3164 Gdppbfff.exe 86 PID 3164 wrote to memory of 848 3164 Gdppbfff.exe 86 PID 3164 wrote to memory of 848 3164 Gdppbfff.exe 86 PID 848 wrote to memory of 3020 848 Ghklce32.exe 87 PID 848 wrote to memory of 3020 848 Ghklce32.exe 87 PID 848 wrote to memory of 3020 848 Ghklce32.exe 87 PID 3020 wrote to memory of 1528 3020 Goedpofl.exe 88 PID 3020 wrote to memory of 1528 3020 Goedpofl.exe 88 PID 3020 wrote to memory of 1528 3020 Goedpofl.exe 88 PID 1528 wrote to memory of 1508 1528 Gadqlkep.exe 90 PID 1528 wrote to memory of 1508 1528 Gadqlkep.exe 90 PID 1528 wrote to memory of 1508 1528 Gadqlkep.exe 90 PID 1508 wrote to memory of 2824 1508 Gdbmhf32.exe 91 PID 1508 wrote to memory of 2824 1508 Gdbmhf32.exe 91 PID 1508 wrote to memory of 2824 1508 Gdbmhf32.exe 91 PID 2824 wrote to memory of 2472 2824 Ggqida32.exe 93 PID 2824 wrote to memory of 2472 2824 Ggqida32.exe 93 PID 2824 wrote to memory of 2472 2824 Ggqida32.exe 93 PID 2472 wrote to memory of 2272 2472 Gnkaalkd.exe 94 PID 2472 wrote to memory of 2272 2472 Gnkaalkd.exe 94 PID 2472 wrote to memory of 2272 2472 Gnkaalkd.exe 94 PID 2272 wrote to memory of 3112 2272 Gfbibikg.exe 95 PID 2272 wrote to memory of 3112 2272 Gfbibikg.exe 95 PID 2272 wrote to memory of 3112 2272 Gfbibikg.exe 95 PID 3112 wrote to memory of 2804 3112 Ghpendjj.exe 96 PID 3112 wrote to memory of 2804 3112 Ghpendjj.exe 96 PID 3112 wrote to memory of 2804 3112 Ghpendjj.exe 96 PID 2804 wrote to memory of 4576 2804 Gojnko32.exe 98 PID 2804 wrote to memory of 4576 2804 Gojnko32.exe 98 PID 2804 wrote to memory of 4576 2804 Gojnko32.exe 98 PID 4576 wrote to memory of 4796 4576 Gfdfgiid.exe 99 PID 4576 wrote to memory of 4796 4576 Gfdfgiid.exe 99 PID 4576 wrote to memory of 4796 4576 Gfdfgiid.exe 99 PID 4796 wrote to memory of 532 4796 Ghbbcd32.exe 100 PID 4796 wrote to memory of 532 4796 Ghbbcd32.exe 100 PID 4796 wrote to memory of 532 4796 Ghbbcd32.exe 100 PID 532 wrote to memory of 3884 532 Hakgmjoh.exe 101 PID 532 wrote to memory of 3884 532 Hakgmjoh.exe 101 PID 532 wrote to memory of 3884 532 Hakgmjoh.exe 101 PID 3884 wrote to memory of 4808 3884 Hheoid32.exe 102 PID 3884 wrote to memory of 4808 3884 Hheoid32.exe 102 PID 3884 wrote to memory of 4808 3884 Hheoid32.exe 102 PID 4808 wrote to memory of 368 4808 Hkckeo32.exe 103 PID 4808 wrote to memory of 368 4808 Hkckeo32.exe 103 PID 4808 wrote to memory of 368 4808 Hkckeo32.exe 103 PID 368 wrote to memory of 1376 368 Hbmcbime.exe 104 PID 368 wrote to memory of 1376 368 Hbmcbime.exe 104 PID 368 wrote to memory of 1376 368 Hbmcbime.exe 104 PID 1376 wrote to memory of 4504 1376 Hhgloc32.exe 105 PID 1376 wrote to memory of 4504 1376 Hhgloc32.exe 105 PID 1376 wrote to memory of 4504 1376 Hhgloc32.exe 105 PID 4504 wrote to memory of 3736 4504 Hkehkocf.exe 106 PID 4504 wrote to memory of 3736 4504 Hkehkocf.exe 106 PID 4504 wrote to memory of 3736 4504 Hkehkocf.exe 106 PID 3736 wrote to memory of 1948 3736 Hbpphi32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe"C:\Users\Admin\AppData\Local\Temp\c4501fa711d5173f17ecd63dcf4666f618a43d6e23a0b63420f05687e2827911N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe23⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe24⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe25⤵
- Executes dropped EXE
PID:3272 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe26⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe28⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe29⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe30⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe31⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe32⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe33⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe35⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe36⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe37⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe38⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe39⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe40⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe42⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe43⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe44⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe45⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe46⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Jpmlnjco.exeC:\Windows\system32\Jpmlnjco.exe47⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe48⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4172 -
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe50⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Kelalp32.exeC:\Windows\system32\Kelalp32.exe51⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe52⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe54⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe55⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe56⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe57⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe58⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe59⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Khpgckkb.exeC:\Windows\system32\Khpgckkb.exe60⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe61⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe62⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe63⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe64⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe66⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe67⤵PID:4444
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe68⤵PID:3812
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe69⤵PID:2808
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe70⤵PID:556
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe72⤵PID:1664
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe73⤵PID:4928
-
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe74⤵PID:4428
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe75⤵PID:2860
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe76⤵PID:4380
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe77⤵PID:668
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe78⤵PID:3840
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe79⤵PID:3604
-
C:\Windows\SysWOW64\Llgcph32.exeC:\Windows\system32\Llgcph32.exe80⤵PID:4436
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe81⤵PID:3128
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe82⤵PID:1680
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe83⤵PID:2868
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe84⤵PID:3820
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe85⤵PID:1540
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe86⤵PID:5136
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe87⤵PID:5180
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe88⤵PID:5224
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe89⤵PID:5272
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe90⤵PID:5316
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe91⤵
- Drops file in System32 directory
PID:5360 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe92⤵PID:5404
-
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe93⤵PID:5448
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe94⤵PID:5492
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe95⤵PID:5536
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe96⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe97⤵PID:5624
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe98⤵PID:5668
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5712 -
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe100⤵PID:5756
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe101⤵PID:5800
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe102⤵PID:5844
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe103⤵PID:5888
-
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe104⤵PID:5932
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe105⤵PID:5976
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Nemcjk32.exeC:\Windows\system32\Nemcjk32.exe107⤵PID:6064
-
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe108⤵PID:6108
-
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe109⤵PID:5124
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe110⤵PID:5196
-
C:\Windows\SysWOW64\Ngmpcn32.exeC:\Windows\system32\Ngmpcn32.exe111⤵PID:5280
-
C:\Windows\SysWOW64\Niklpj32.exeC:\Windows\system32\Niklpj32.exe112⤵PID:5348
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe113⤵PID:5420
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe114⤵PID:5484
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5632 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe117⤵PID:5700
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe118⤵PID:5768
-
C:\Windows\SysWOW64\Nhbfff32.exeC:\Windows\system32\Nhbfff32.exe119⤵PID:5836
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe120⤵PID:5904
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe121⤵PID:5972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-