Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe
Resource
win10v2004-20241007-en
General
-
Target
cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe
-
Size
362KB
-
MD5
c8f45a7181a85e98b40e377afa9621c0
-
SHA1
c93ee858557bfafea7383b6347626ecfbfdb4ddf
-
SHA256
cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86
-
SHA512
a09ed9d2aee353e117ec982ec81725f02af14ce8e5528355586b44790081658021c7b35a227b4ce49df0fd386bd41736077c71185bda0d455606f815e82f51c4
-
SSDEEP
6144:5g56XAyvYfUatGDuMEUrQVad7nG3mbDp2o+SsmiMyhtHEyr5psPc1aj8DOvlvuZn:GcANtmuMtrQ07nGWxWSsmiMyh95r5OPS
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcopcjab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbmag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfjao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heenpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qojjjenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aonfqgbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehfncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jebfej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkilnfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nngdmfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fdmohapq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkedia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdmgllkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbahibqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnnbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oilbajjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eihlhlad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgacfqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjnnbem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njhelo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlipmmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noqomh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpihin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeaogicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbphjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijdaapp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibigpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkifgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nidfeaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhlgpljo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkije32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljhcpgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfcaifng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlgcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efkfgjmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpjhghf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dokdnmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocplal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jelfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcopjdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejcfbfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oanmdglf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgjohog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omgjohog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbchbob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Finkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hflhefql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihbofab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Badgneba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blboaicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpdcgnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olnbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhhok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niaipbhe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4280 Goghdhhb.exe 4540 Gddqmo32.exe 4512 Ghbicmmp.exe 1664 Gdhjhnbd.exe 4796 Gonnegbj.exe 612 Hgiciipe.exe 3652 Hdmccmno.exe 2304 Hkglpgfk.exe 976 Hkihegdi.exe 4596 Hfombpco.exe 1388 Hklekg32.exe 1244 Hddiclhf.exe 3664 Ifdfno32.exe 2284 Ioljfe32.exe 688 Iidoojlj.exe 4456 Ioogld32.exe 3696 Iiglejjg.exe 3108 Ifklnn32.exe 2788 Infabq32.exe 5084 Ikjale32.exe 1040 Jbdiio32.exe 1928 Jebfej32.exe 2456 Jbffno32.exe 552 Jedbjj32.exe 4072 Jeileifo.exe 1720 Jpopcbfd.exe 4856 Jgjegd32.exe 3700 Kndmdojl.exe 2192 Kijaagjb.exe 1488 Kpcina32.exe 4676 Kfnaklil.exe 1956 Kepbfh32.exe 512 Khonbdoj.exe 60 Knkcdn32.exe 3680 Keekahla.exe 2212 Klocnbcn.exe 2008 Knmpjmba.exe 3720 Kicdgfbg.exe 3616 Lpmldp32.exe 5004 Lbkhpl32.exe 1460 Lieamfpe.exe 2364 Lpoijpgb.exe 2776 Lhjnnbem.exe 3060 Lpafopeo.exe 4812 Lenngfcf.exe 2148 Lpdbeo32.exe 1808 Lbboak32.exe 3960 Lilgnejm.exe 748 Lpfojo32.exe 3504 Lbekfj32.exe 1312 Lioccdhj.exe 2712 Mlmpopgn.exe 1208 Mbghljok.exe 2040 Miapid32.exe 1448 Mpkhenmd.exe 4164 Mbieajlh.exe 2264 Micmnd32.exe 4232 Mopefk32.exe 3792 Mejnce32.exe 1376 Mldfpoaf.exe 4484 Mobbljpj.exe 4312 Mfjjmhql.exe 1492 Mlfbeooc.exe 3688 Moeoajng.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qdcani32.exe Qmiiao32.exe File created C:\Windows\SysWOW64\Bfmmjomg.dll Lpnjgooa.exe File created C:\Windows\SysWOW64\Odnnoh32.exe Process not Found File created C:\Windows\SysWOW64\Fjbgip32.dll Bfieil32.exe File opened for modification C:\Windows\SysWOW64\Ahhpdfcb.exe Aanhhlle.exe File created C:\Windows\SysWOW64\Gllkjebb.dll Cdcckd32.exe File opened for modification C:\Windows\SysWOW64\Genhpobn.exe Gpapgg32.exe File opened for modification C:\Windows\SysWOW64\Llojgjeo.exe Process not Found File created C:\Windows\SysWOW64\Nlmjdd32.dll Boofbkhi.exe File created C:\Windows\SysWOW64\Dhheea32.dll Efkfgjmb.exe File created C:\Windows\SysWOW64\Lfchocbd.dll Pamoao32.exe File created C:\Windows\SysWOW64\Imfchdga.dll Dobjol32.exe File created C:\Windows\SysWOW64\Eibhma32.dll Pjpcdo32.exe File opened for modification C:\Windows\SysWOW64\Cgjbmkhn.exe Cmbnceam.exe File created C:\Windows\SysWOW64\Jbpgfhci.exe Jleojn32.exe File opened for modification C:\Windows\SysWOW64\Jnhfnj32.exe Jkijao32.exe File opened for modification C:\Windows\SysWOW64\Pldacdae.exe Paomfkao.exe File opened for modification C:\Windows\SysWOW64\Kjkfol32.exe Kgmica32.exe File created C:\Windows\SysWOW64\Lnbakiaf.exe Lfkijlqd.exe File created C:\Windows\SysWOW64\Dfamnkah.dll Fdmohapq.exe File created C:\Windows\SysWOW64\Gijcqb32.dll Fbapbe32.exe File created C:\Windows\SysWOW64\Plgdcj32.exe Phlibkje.exe File created C:\Windows\SysWOW64\Haoficjo.dll Nilijl32.exe File created C:\Windows\SysWOW64\Qdchho32.exe Qmipleob.exe File opened for modification C:\Windows\SysWOW64\Mofjiaeb.exe Lfnfpl32.exe File opened for modification C:\Windows\SysWOW64\Mldfpoaf.exe Mejnce32.exe File created C:\Windows\SysWOW64\Djilaaef.exe Dkhlcj32.exe File opened for modification C:\Windows\SysWOW64\Jphieo32.exe Jjnqhecf.exe File opened for modification C:\Windows\SysWOW64\Ngleec32.exe Nabmiifc.exe File created C:\Windows\SysWOW64\Ilelbkcb.dll Hnaejl32.exe File opened for modification C:\Windows\SysWOW64\Bklcqn32.exe Afokhg32.exe File created C:\Windows\SysWOW64\Bldfnf32.dll Cmgpfo32.exe File created C:\Windows\SysWOW64\Epoaeqgg.exe Emqdiehd.exe File created C:\Windows\SysWOW64\Ladhba32.exe Liicno32.exe File created C:\Windows\SysWOW64\Mdbjoqgn.dll Nicokkbf.exe File created C:\Windows\SysWOW64\Ffmlodhd.dll Ibafiikj.exe File created C:\Windows\SysWOW64\Kipqgp32.exe Kjopiihp.exe File opened for modification C:\Windows\SysWOW64\Canaojmb.exe Ckdibp32.exe File created C:\Windows\SysWOW64\Ioholb32.dll Dnhgph32.exe File created C:\Windows\SysWOW64\Kbfonn32.dll Fikhoofg.exe File created C:\Windows\SysWOW64\Bdkcefbj.dll Jbjiohco.exe File created C:\Windows\SysWOW64\Plcjinmi.exe Pejblc32.exe File created C:\Windows\SysWOW64\Ocbhgk32.exe Oadlkp32.exe File created C:\Windows\SysWOW64\Mimqji32.dll Ipjlca32.exe File opened for modification C:\Windows\SysWOW64\Fgqepl32.exe Febhcp32.exe File created C:\Windows\SysWOW64\Jebfej32.exe Jbdiio32.exe File created C:\Windows\SysWOW64\Jfmeqb32.dll Mankhp32.exe File created C:\Windows\SysWOW64\Pmadjqpe.dll Ffnigpok.exe File created C:\Windows\SysWOW64\Dbdjkmof.exe Dmgacfqo.exe File opened for modification C:\Windows\SysWOW64\Hhegbhig.exe Hbioia32.exe File created C:\Windows\SysWOW64\Omlkhecd.dll Hbioia32.exe File opened for modification C:\Windows\SysWOW64\Cdijkp32.exe Bideng32.exe File created C:\Windows\SysWOW64\Icedbb32.exe Ibdgkj32.exe File created C:\Windows\SysWOW64\Jpmghgem.dll Pjflaoem.exe File created C:\Windows\SysWOW64\Ckafbk32.exe Cicjfo32.exe File opened for modification C:\Windows\SysWOW64\Gmfnehjg.exe Gflein32.exe File created C:\Windows\SysWOW64\Ccehpmeb.dll Dminhfol.exe File created C:\Windows\SysWOW64\Nlpcjf32.dll Glfjao32.exe File created C:\Windows\SysWOW64\Naohloca.exe Process not Found File created C:\Windows\SysWOW64\Igllaohh.dll Djdcfb32.exe File created C:\Windows\SysWOW64\Gphfhf32.exe Ggangi32.exe File created C:\Windows\SysWOW64\Obphldmm.dll Kifeigcd.exe File created C:\Windows\SysWOW64\Mfibghej.dll Effllk32.exe File created C:\Windows\SysWOW64\Heenpm32.exe Gphfhf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11204 10972 Process not Found 1209 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgfcmfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbapabo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlipmmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfeikpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnflq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beodnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjggf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidkennl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giggjmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioclj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihfbhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbonpjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbohmii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeileifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blboaicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kleiphfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmjpnag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmegg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpjhghf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baenhkem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpjec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppemihid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhbocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcdblaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaieca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locgik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbigna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjlca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcnfdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdcjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpgda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajckl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnigpok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljglea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badgneba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmlfpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmqoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdegjfbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miapid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agflga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmpfeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimeclno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnakcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgjenim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbnceam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inkpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhcqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbeodh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opdpamkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgpkfpgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lagegacl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnnokqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmolmb32.dll" Lnnhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfpilpio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aoapkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghconfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnpmbkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjadoppi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhkhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oenbpepj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlbjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnopcmal.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfombpco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Affomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmaembm.dll" Lmobqnbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdaei32.dll" Kfmmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejnakcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Geqlpdcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dqdggddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilaeooob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ejcfbfqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phfhmeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmocg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eohkda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makeflhh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjompa32.dll" Mbieajlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nolebiho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfeie32.dll" Nofemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epoaeqgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojhghfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjbnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdmbj32.dll" Gnlnknin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehggcp32.dll" Lgemhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doaddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmfiim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkanig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klblji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdcani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpofnpeo.dll" Eckoohge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnmqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgjbmkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nilijl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enomqgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqmicmjo.dll" Fkggekgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Genhpobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amdimmai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imiaalih.dll" Mlcoei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfpdodim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnlklnmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Innmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgkfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pamoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kndmdojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfdebpo.dll" Mfjjmhql.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 4280 2056 cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe 83 PID 2056 wrote to memory of 4280 2056 cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe 83 PID 2056 wrote to memory of 4280 2056 cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe 83 PID 4280 wrote to memory of 4540 4280 Goghdhhb.exe 85 PID 4280 wrote to memory of 4540 4280 Goghdhhb.exe 85 PID 4280 wrote to memory of 4540 4280 Goghdhhb.exe 85 PID 4540 wrote to memory of 4512 4540 Gddqmo32.exe 87 PID 4540 wrote to memory of 4512 4540 Gddqmo32.exe 87 PID 4540 wrote to memory of 4512 4540 Gddqmo32.exe 87 PID 4512 wrote to memory of 1664 4512 Ghbicmmp.exe 88 PID 4512 wrote to memory of 1664 4512 Ghbicmmp.exe 88 PID 4512 wrote to memory of 1664 4512 Ghbicmmp.exe 88 PID 1664 wrote to memory of 4796 1664 Gdhjhnbd.exe 89 PID 1664 wrote to memory of 4796 1664 Gdhjhnbd.exe 89 PID 1664 wrote to memory of 4796 1664 Gdhjhnbd.exe 89 PID 4796 wrote to memory of 612 4796 Gonnegbj.exe 91 PID 4796 wrote to memory of 612 4796 Gonnegbj.exe 91 PID 4796 wrote to memory of 612 4796 Gonnegbj.exe 91 PID 612 wrote to memory of 3652 612 Hgiciipe.exe 92 PID 612 wrote to memory of 3652 612 Hgiciipe.exe 92 PID 612 wrote to memory of 3652 612 Hgiciipe.exe 92 PID 3652 wrote to memory of 2304 3652 Hdmccmno.exe 93 PID 3652 wrote to memory of 2304 3652 Hdmccmno.exe 93 PID 3652 wrote to memory of 2304 3652 Hdmccmno.exe 93 PID 2304 wrote to memory of 976 2304 Hkglpgfk.exe 94 PID 2304 wrote to memory of 976 2304 Hkglpgfk.exe 94 PID 2304 wrote to memory of 976 2304 Hkglpgfk.exe 94 PID 976 wrote to memory of 4596 976 Hkihegdi.exe 95 PID 976 wrote to memory of 4596 976 Hkihegdi.exe 95 PID 976 wrote to memory of 4596 976 Hkihegdi.exe 95 PID 4596 wrote to memory of 1388 4596 Hfombpco.exe 96 PID 4596 wrote to memory of 1388 4596 Hfombpco.exe 96 PID 4596 wrote to memory of 1388 4596 Hfombpco.exe 96 PID 1388 wrote to memory of 1244 1388 Hklekg32.exe 97 PID 1388 wrote to memory of 1244 1388 Hklekg32.exe 97 PID 1388 wrote to memory of 1244 1388 Hklekg32.exe 97 PID 1244 wrote to memory of 3664 1244 Hddiclhf.exe 98 PID 1244 wrote to memory of 3664 1244 Hddiclhf.exe 98 PID 1244 wrote to memory of 3664 1244 Hddiclhf.exe 98 PID 3664 wrote to memory of 2284 3664 Ifdfno32.exe 99 PID 3664 wrote to memory of 2284 3664 Ifdfno32.exe 99 PID 3664 wrote to memory of 2284 3664 Ifdfno32.exe 99 PID 2284 wrote to memory of 688 2284 Ioljfe32.exe 100 PID 2284 wrote to memory of 688 2284 Ioljfe32.exe 100 PID 2284 wrote to memory of 688 2284 Ioljfe32.exe 100 PID 688 wrote to memory of 4456 688 Iidoojlj.exe 101 PID 688 wrote to memory of 4456 688 Iidoojlj.exe 101 PID 688 wrote to memory of 4456 688 Iidoojlj.exe 101 PID 4456 wrote to memory of 3696 4456 Ioogld32.exe 102 PID 4456 wrote to memory of 3696 4456 Ioogld32.exe 102 PID 4456 wrote to memory of 3696 4456 Ioogld32.exe 102 PID 3696 wrote to memory of 3108 3696 Iiglejjg.exe 103 PID 3696 wrote to memory of 3108 3696 Iiglejjg.exe 103 PID 3696 wrote to memory of 3108 3696 Iiglejjg.exe 103 PID 3108 wrote to memory of 2788 3108 Ifklnn32.exe 104 PID 3108 wrote to memory of 2788 3108 Ifklnn32.exe 104 PID 3108 wrote to memory of 2788 3108 Ifklnn32.exe 104 PID 2788 wrote to memory of 5084 2788 Infabq32.exe 105 PID 2788 wrote to memory of 5084 2788 Infabq32.exe 105 PID 2788 wrote to memory of 5084 2788 Infabq32.exe 105 PID 5084 wrote to memory of 1040 5084 Ikjale32.exe 106 PID 5084 wrote to memory of 1040 5084 Ikjale32.exe 106 PID 5084 wrote to memory of 1040 5084 Ikjale32.exe 106 PID 1040 wrote to memory of 1928 1040 Jbdiio32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe"C:\Users\Admin\AppData\Local\Temp\cd3368e03ec8634a3f25176267bd9b5f05ef5a41ae219cbaeea840918e39db86N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Hkglpgfk.exeC:\Windows\system32\Hkglpgfk.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Hkihegdi.exeC:\Windows\system32\Hkihegdi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\Infabq32.exeC:\Windows\system32\Infabq32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Jbdiio32.exeC:\Windows\system32\Jbdiio32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Jebfej32.exeC:\Windows\system32\Jebfej32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe24⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe25⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\Jpopcbfd.exeC:\Windows\system32\Jpopcbfd.exe27⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jgjegd32.exeC:\Windows\system32\Jgjegd32.exe28⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Kndmdojl.exeC:\Windows\system32\Kndmdojl.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Kijaagjb.exeC:\Windows\system32\Kijaagjb.exe30⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kpcina32.exeC:\Windows\system32\Kpcina32.exe31⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Kfnaklil.exeC:\Windows\system32\Kfnaklil.exe32⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe33⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Khonbdoj.exeC:\Windows\system32\Khonbdoj.exe34⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Knkcdn32.exeC:\Windows\system32\Knkcdn32.exe35⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Keekahla.exeC:\Windows\system32\Keekahla.exe36⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Klocnbcn.exeC:\Windows\system32\Klocnbcn.exe37⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Knmpjmba.exeC:\Windows\system32\Knmpjmba.exe38⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Kicdgfbg.exeC:\Windows\system32\Kicdgfbg.exe39⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Lpmldp32.exeC:\Windows\system32\Lpmldp32.exe40⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Lbkhpl32.exeC:\Windows\system32\Lbkhpl32.exe41⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Lieamfpe.exeC:\Windows\system32\Lieamfpe.exe42⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Lpoijpgb.exeC:\Windows\system32\Lpoijpgb.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Lhjnnbem.exeC:\Windows\system32\Lhjnnbem.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lpafopeo.exeC:\Windows\system32\Lpafopeo.exe45⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Lenngfcf.exeC:\Windows\system32\Lenngfcf.exe46⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Lpdbeo32.exeC:\Windows\system32\Lpdbeo32.exe47⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Lbboak32.exeC:\Windows\system32\Lbboak32.exe48⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Lilgnejm.exeC:\Windows\system32\Lilgnejm.exe49⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Lpfojo32.exeC:\Windows\system32\Lpfojo32.exe50⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Lbekfj32.exeC:\Windows\system32\Lbekfj32.exe51⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Lioccdhj.exeC:\Windows\system32\Lioccdhj.exe52⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Mlmpopgn.exeC:\Windows\system32\Mlmpopgn.exe53⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mbghljok.exeC:\Windows\system32\Mbghljok.exe54⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Miapid32.exeC:\Windows\system32\Miapid32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Mpkhenmd.exeC:\Windows\system32\Mpkhenmd.exe56⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Mbieajlh.exeC:\Windows\system32\Mbieajlh.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4164 -
C:\Windows\SysWOW64\Micmnd32.exeC:\Windows\system32\Micmnd32.exe58⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mopefk32.exeC:\Windows\system32\Mopefk32.exe59⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Mejnce32.exeC:\Windows\system32\Mejnce32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3792 -
C:\Windows\SysWOW64\Mldfpoaf.exeC:\Windows\system32\Mldfpoaf.exe61⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Mobbljpj.exeC:\Windows\system32\Mobbljpj.exe62⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Mfjjmhql.exeC:\Windows\system32\Mfjjmhql.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Mlfbeooc.exeC:\Windows\system32\Mlfbeooc.exe64⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Moeoajng.exeC:\Windows\system32\Moeoajng.exe65⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Meognded.exeC:\Windows\system32\Meognded.exe66⤵PID:2104
-
C:\Windows\SysWOW64\Nliokn32.exeC:\Windows\system32\Nliokn32.exe67⤵PID:3092
-
C:\Windows\SysWOW64\Nimpdb32.exeC:\Windows\system32\Nimpdb32.exe68⤵PID:640
-
C:\Windows\SysWOW64\Nbedmhbk.exeC:\Windows\system32\Nbedmhbk.exe69⤵PID:1316
-
C:\Windows\SysWOW64\Nhbmeo32.exeC:\Windows\system32\Nhbmeo32.exe70⤵PID:5076
-
C:\Windows\SysWOW64\Nolebiho.exeC:\Windows\system32\Nolebiho.exe71⤵
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Niaipbhe.exeC:\Windows\system32\Niaipbhe.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Npkall32.exeC:\Windows\system32\Npkall32.exe73⤵PID:1864
-
C:\Windows\SysWOW64\Nidfeaeb.exeC:\Windows\system32\Nidfeaeb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3748 -
C:\Windows\SysWOW64\Noqomh32.exeC:\Windows\system32\Noqomh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1540 -
C:\Windows\SysWOW64\Ohicfnjj.exeC:\Windows\system32\Ohicfnjj.exe76⤵PID:3820
-
C:\Windows\SysWOW64\Oppkgkkl.exeC:\Windows\system32\Oppkgkkl.exe77⤵PID:4040
-
C:\Windows\SysWOW64\Ogjcde32.exeC:\Windows\system32\Ogjcde32.exe78⤵PID:3712
-
C:\Windows\SysWOW64\Ohkplnhg.exeC:\Windows\system32\Ohkplnhg.exe79⤵PID:4260
-
C:\Windows\SysWOW64\Ooehhhpd.exeC:\Windows\system32\Ooehhhpd.exe80⤵PID:4256
-
C:\Windows\SysWOW64\Olihblon.exeC:\Windows\system32\Olihblon.exe81⤵PID:3280
-
C:\Windows\SysWOW64\Ogomoend.exeC:\Windows\system32\Ogomoend.exe82⤵PID:1800
-
C:\Windows\SysWOW64\Ogaied32.exeC:\Windows\system32\Ogaied32.exe83⤵PID:3328
-
C:\Windows\SysWOW64\Olnbmk32.exeC:\Windows\system32\Olnbmk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4956 -
C:\Windows\SysWOW64\Oolnig32.exeC:\Windows\system32\Oolnig32.exe85⤵PID:4404
-
C:\Windows\SysWOW64\Oefffaai.exeC:\Windows\system32\Oefffaai.exe86⤵PID:4560
-
C:\Windows\SysWOW64\Pjbbfp32.exeC:\Windows\system32\Pjbbfp32.exe87⤵PID:924
-
C:\Windows\SysWOW64\Ppljcjao.exeC:\Windows\system32\Ppljcjao.exe88⤵PID:2584
-
C:\Windows\SysWOW64\Pjdologp.exeC:\Windows\system32\Pjdologp.exe89⤵PID:3044
-
C:\Windows\SysWOW64\Pcmcee32.exeC:\Windows\system32\Pcmcee32.exe90⤵PID:4368
-
C:\Windows\SysWOW64\Pghpecfi.exeC:\Windows\system32\Pghpecfi.exe91⤵PID:4172
-
C:\Windows\SysWOW64\Pjflaoem.exeC:\Windows\system32\Pjflaoem.exe92⤵
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Philml32.exeC:\Windows\system32\Philml32.exe93⤵PID:5136
-
C:\Windows\SysWOW64\Ppqdni32.exeC:\Windows\system32\Ppqdni32.exe94⤵PID:5200
-
C:\Windows\SysWOW64\Pcopjdlm.exeC:\Windows\system32\Pcopjdlm.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Pfmlfpka.exeC:\Windows\system32\Pfmlfpka.exe96⤵
- System Location Discovery: System Language Discovery
PID:5284 -
C:\Windows\SysWOW64\Phlibkje.exeC:\Windows\system32\Phlibkje.exe97⤵
- Drops file in System32 directory
PID:5336 -
C:\Windows\SysWOW64\Plgdcj32.exeC:\Windows\system32\Plgdcj32.exe98⤵PID:5380
-
C:\Windows\SysWOW64\Poeaoe32.exeC:\Windows\system32\Poeaoe32.exe99⤵PID:5424
-
C:\Windows\SysWOW64\Pfpilpio.exeC:\Windows\system32\Pfpilpio.exe100⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Phnehkhb.exeC:\Windows\system32\Phnehkhb.exe101⤵PID:5524
-
C:\Windows\SysWOW64\Ppemihid.exeC:\Windows\system32\Ppemihid.exe102⤵
- System Location Discovery: System Language Discovery
PID:5572 -
C:\Windows\SysWOW64\Pcciedhh.exeC:\Windows\system32\Pcciedhh.exe103⤵PID:5624
-
C:\Windows\SysWOW64\Pgoefbpa.exeC:\Windows\system32\Pgoefbpa.exe104⤵PID:5672
-
C:\Windows\SysWOW64\Qllnnini.exeC:\Windows\system32\Qllnnini.exe105⤵PID:5712
-
C:\Windows\SysWOW64\Qojjjenl.exeC:\Windows\system32\Qojjjenl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5756 -
C:\Windows\SysWOW64\Qhbocj32.exeC:\Windows\system32\Qhbocj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Windows\SysWOW64\Affomo32.exeC:\Windows\system32\Affomo32.exe108⤵
- Modifies registry class
PID:5844 -
C:\Windows\SysWOW64\Ahekijbj.exeC:\Windows\system32\Ahekijbj.exe109⤵PID:5888
-
C:\Windows\SysWOW64\Aooced32.exeC:\Windows\system32\Aooced32.exe110⤵PID:5932
-
C:\Windows\SysWOW64\Agflga32.exeC:\Windows\system32\Agflga32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Aoapkd32.exeC:\Windows\system32\Aoapkd32.exe112⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Aijedi32.exeC:\Windows\system32\Aijedi32.exe113⤵PID:6068
-
C:\Windows\SysWOW64\Afnemn32.exeC:\Windows\system32\Afnemn32.exe114⤵PID:6108
-
C:\Windows\SysWOW64\Ailaii32.exeC:\Windows\system32\Ailaii32.exe115⤵PID:5124
-
C:\Windows\SysWOW64\Aofjfcco.exeC:\Windows\system32\Aofjfcco.exe116⤵PID:5208
-
C:\Windows\SysWOW64\Bcdblaje.exeC:\Windows\system32\Bcdblaje.exe117⤵
- System Location Discovery: System Language Discovery
PID:5280 -
C:\Windows\SysWOW64\Bfbohmii.exeC:\Windows\system32\Bfbohmii.exe118⤵
- System Location Discovery: System Language Discovery
PID:5356 -
C:\Windows\SysWOW64\Bmlgeg32.exeC:\Windows\system32\Bmlgeg32.exe119⤵PID:5432
-
C:\Windows\SysWOW64\Bgbkbp32.exeC:\Windows\system32\Bgbkbp32.exe120⤵PID:5516
-
C:\Windows\SysWOW64\Bjpgok32.exeC:\Windows\system32\Bjpgok32.exe121⤵PID:5592
-
C:\Windows\SysWOW64\Bgdhhoni.exeC:\Windows\system32\Bgdhhoni.exe122⤵PID:5660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-