Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe
-
Size
64KB
-
MD5
e52984bcb13cb661c246f15184dc1fe2
-
SHA1
f4a5ecd84be90a324f8ec55d6b0b7772511d58dd
-
SHA256
33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02
-
SHA512
c7a6743f778ddcba9073dce39fdceb300ecf811ba3bc56e3d4b187ad705d57b5d20487b1263d3d1da1b9df7b17831938a3d39e637455d224e7ed7826b631746d
-
SSDEEP
1536:1Bn9pG8zmAMHPZ/JtCms5CqUGnvLWZuYDP9:1Bn9Jms5CqFvLWZuY79
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphibcoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glmqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emqegkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkgnlkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdglpfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbhklcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfcbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcammi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noeakfan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmmdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijikq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njokjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjejnmam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaejmano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcahpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabqnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdclldfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjepmfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpmgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfogcfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgjhkjbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdmjhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiigjjla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnnfag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbimjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbpoofo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndmacoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iicknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggnaabi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmmoloo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfiphabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcali32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdfnhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglepipb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkccjik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidehmni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkic32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfekcia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbbfdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bggdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedddf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiepjna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejobh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogifmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnljgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gonnblgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekabpiim.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1484 Ldeohh32.exe 1032 Libgpooi.exe 1148 Llpcljnl.exe 640 Ldgkmhno.exe 3112 Liddfolf.exe 2544 Lpnlbi32.exe 2772 Lekekp32.exe 4152 Llemgj32.exe 4872 Ldlehg32.exe 3052 Mgjadb32.exe 4724 Mlgjmi32.exe 1420 Mdnang32.exe 3772 Mcabjcoa.exe 4940 Mljfbiea.exe 764 Mdqncffd.exe 2988 Mebkko32.exe 216 Minglmdk.exe 3152 Mllchico.exe 700 Mpgoig32.exe 2164 Mgageace.exe 4844 Medgan32.exe 3916 Mlnpnh32.exe 4876 Megdfnhm.exe 4996 Ndhdde32.exe 1292 Nlciih32.exe 2736 Njgjbllq.exe 4372 Ngkjlpkj.exe 4620 Nnebhj32.exe 3500 Ncakqaqo.exe 5072 Njlcmk32.exe 2740 Npekjeph.exe 3816 Ngpcgp32.exe 2336 Nnilcjnb.exe 1980 Ophhpene.exe 2960 Ogbploeb.exe 4776 Ojplhkdf.exe 4036 Oloidfcj.exe 2600 Odfqecdl.exe 4340 Ofgmml32.exe 1888 Olaejfag.exe 448 Odhmkcbi.exe 3364 Ofijckhg.exe 632 Onqbdihj.exe 2208 Oqonpdgn.exe 4408 Ogifmn32.exe 3416 Ojgbij32.exe 3128 Odmgfb32.exe 2604 Ogkcbn32.exe 4564 Onekoh32.exe 5028 Pdoclbla.exe 3492 Pjlldiji.exe 4728 Pmjhpdil.exe 3312 Pgplnmib.exe 1868 Pnjejgpo.exe 4544 Pddmga32.exe 4448 Pgbicm32.exe 3952 Pmoakd32.exe 4888 Pcijhnld.exe 2096 Pfgfdikg.exe 3104 Pdhfbacf.exe 4116 Pckfnn32.exe 1540 Pnakkf32.exe 2024 Qqoggb32.exe 2460 Qflpoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flbhmk32.exe Ffepedmh.exe File created C:\Windows\SysWOW64\Klhklc32.dll Gidehmni.exe File opened for modification C:\Windows\SysWOW64\Pgplnmib.exe Pmjhpdil.exe File opened for modification C:\Windows\SysWOW64\Ibicacnc.exe Iojgegoo.exe File created C:\Windows\SysWOW64\Meadah32.exe Mpdkiajo.exe File created C:\Windows\SysWOW64\Okpkkfbm.exe Oioocn32.exe File created C:\Windows\SysWOW64\Ooqqgdgq.exe Olbdkihm.exe File created C:\Windows\SysWOW64\Polpbc32.exe Plndfgnp.exe File created C:\Windows\SysWOW64\Afnqbdlm.dll Neglmk32.exe File created C:\Windows\SysWOW64\Gpfpjb32.exe Gmhcnf32.exe File opened for modification C:\Windows\SysWOW64\Pkpmgn32.exe Pdfekcia.exe File created C:\Windows\SysWOW64\Ljgehpnc.exe Process not Found File created C:\Windows\SysWOW64\Nffijoad.dll Jpffqfdb.exe File created C:\Windows\SysWOW64\Fmehgc32.exe Fkflkh32.exe File created C:\Windows\SysWOW64\Dkielo32.dll Fpeaio32.exe File opened for modification C:\Windows\SysWOW64\Ahlklg32.exe Aaabomfo.exe File opened for modification C:\Windows\SysWOW64\Hgahhpeh.exe Hdclldfd.exe File opened for modification C:\Windows\SysWOW64\Lqikpo32.exe Lnjnccdp.exe File opened for modification C:\Windows\SysWOW64\Hdiclq32.exe Hnokofaj.exe File opened for modification C:\Windows\SysWOW64\Kkomqpdh.exe Kedddf32.exe File opened for modification C:\Windows\SysWOW64\Peobonjh.exe Pcqfbbkd.exe File created C:\Windows\SysWOW64\Gidehmni.exe Gffhlaoe.exe File opened for modification C:\Windows\SysWOW64\Ddpjonea.exe Dnfabc32.exe File created C:\Windows\SysWOW64\Dnkkmcip.exe Dhnbelkh.exe File created C:\Windows\SysWOW64\Oinlcn32.dll Ldeohh32.exe File opened for modification C:\Windows\SysWOW64\Beeodm32.exe Bnkfhcdj.exe File created C:\Windows\SysWOW64\Pbpjcckb.dll Loninpid.exe File created C:\Windows\SysWOW64\Bglbch32.dll Jdkang32.exe File created C:\Windows\SysWOW64\Cmofdb32.exe Cjpjhg32.exe File opened for modification C:\Windows\SysWOW64\Epdahklc.exe Emfelomp.exe File created C:\Windows\SysWOW64\Hlkmpa32.exe Process not Found File created C:\Windows\SysWOW64\Hkchlfdj.dll Pkiggogf.exe File created C:\Windows\SysWOW64\Liddfolf.exe Ldgkmhno.exe File created C:\Windows\SysWOW64\Hpdank32.dll Megdfnhm.exe File created C:\Windows\SysWOW64\Fdogodpd.exe Femgcg32.exe File created C:\Windows\SysWOW64\Oocdgj32.exe Olehko32.exe File created C:\Windows\SysWOW64\Mpogamdh.dll Qlpqlg32.exe File opened for modification C:\Windows\SysWOW64\Oagphk32.exe Oniclo32.exe File opened for modification C:\Windows\SysWOW64\Ppemfm32.exe Pfpiid32.exe File opened for modification C:\Windows\SysWOW64\Olbdkihm.exe Oichonii.exe File created C:\Windows\SysWOW64\Hdlhem32.dll Bnheqeje.exe File opened for modification C:\Windows\SysWOW64\Dnpdhb32.exe Dkahlg32.exe File opened for modification C:\Windows\SysWOW64\Eoilpoig.exe Egbdoaie.exe File created C:\Windows\SysWOW64\Kpdgnf32.dll Mhppmd32.exe File created C:\Windows\SysWOW64\Afnejb32.exe Acping32.exe File created C:\Windows\SysWOW64\Nloonlhb.exe Najjachl.exe File opened for modification C:\Windows\SysWOW64\Kmdliace.exe Knalme32.exe File created C:\Windows\SysWOW64\Oeqocj32.exe Omigal32.exe File created C:\Windows\SysWOW64\Liflkh32.dll Mhjpgn32.exe File created C:\Windows\SysWOW64\Fiqbho32.dll Afpkelle.exe File created C:\Windows\SysWOW64\Dkmeknng.exe Djlide32.exe File opened for modification C:\Windows\SysWOW64\Ecnqcjfo.exe Emchfp32.exe File created C:\Windows\SysWOW64\Kpkple32.exe Kiagokip.exe File opened for modification C:\Windows\SysWOW64\Ochjgj32.exe Olnbjp32.exe File created C:\Windows\SysWOW64\Jpfcjd32.dll Aachjfpq.exe File created C:\Windows\SysWOW64\Phqelf32.dll Bkjidjja.exe File created C:\Windows\SysWOW64\Himqde32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hecaif32.exe Process not Found File created C:\Windows\SysWOW64\Koqgnp32.dll Fkiokn32.exe File created C:\Windows\SysWOW64\Ekmhalag.dll Ikjaiijk.exe File opened for modification C:\Windows\SysWOW64\Bfqkgp32.exe Bcbokd32.exe File created C:\Windows\SysWOW64\Phkbejko.exe Pihajm32.exe File created C:\Windows\SysWOW64\Fgaomhpp.dll Ahlklg32.exe File created C:\Windows\SysWOW64\Ckoijpjg.exe Ciqmnd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7056 6192 Process not Found 1191 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmocil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibopkdfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdopdnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgdpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqmnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoilpoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpdkiajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllknffi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfhjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odabiglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbbfdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjpplak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdfkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdndmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdgnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejafj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acping32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdglpfpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhjbdffe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaooog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcobmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomiiqoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhamjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgipdnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflokm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infapela.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechpjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjlel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpagqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leedejbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anepdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppigdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnggjpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjlqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplifeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjjheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglmlkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inejeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohdkl32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 8200 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpbmfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgnmnqe.dll" Oeqocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdijecgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeiche32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pckpcgge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlale32.dll" Emnbgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljbfckmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paklon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfdfe32.dll" Gpfpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgebbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimpagqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plgdpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbhdfqh.dll" Ijgaoqap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illcinmf.dll" Meipkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmoagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdaddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkflkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idahmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgglj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkelgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjqknahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaabomfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpnmeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmgll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codhamjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gielbcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopalp32.dll" Polpbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiineipp.dll" Akjghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Finebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmnhjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikicdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejafj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbghiocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgdpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjeago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knkcabij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflmoeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebbom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Infapela.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iicknm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhgkofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlqmnoo.dll" Nbogqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojkckj32.dll" Ehlpcopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghabekni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnmea32.dll" Hjqknahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfggia32.dll" Oqonpdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajlekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pojjgiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooehla32.dll" Dfnqngac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oioocn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cieficgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poghmc32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1484 1728 33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe 81 PID 1728 wrote to memory of 1484 1728 33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe 81 PID 1728 wrote to memory of 1484 1728 33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe 81 PID 1484 wrote to memory of 1032 1484 Ldeohh32.exe 82 PID 1484 wrote to memory of 1032 1484 Ldeohh32.exe 82 PID 1484 wrote to memory of 1032 1484 Ldeohh32.exe 82 PID 1032 wrote to memory of 1148 1032 Libgpooi.exe 83 PID 1032 wrote to memory of 1148 1032 Libgpooi.exe 83 PID 1032 wrote to memory of 1148 1032 Libgpooi.exe 83 PID 1148 wrote to memory of 640 1148 Llpcljnl.exe 84 PID 1148 wrote to memory of 640 1148 Llpcljnl.exe 84 PID 1148 wrote to memory of 640 1148 Llpcljnl.exe 84 PID 640 wrote to memory of 3112 640 Ldgkmhno.exe 85 PID 640 wrote to memory of 3112 640 Ldgkmhno.exe 85 PID 640 wrote to memory of 3112 640 Ldgkmhno.exe 85 PID 3112 wrote to memory of 2544 3112 Liddfolf.exe 86 PID 3112 wrote to memory of 2544 3112 Liddfolf.exe 86 PID 3112 wrote to memory of 2544 3112 Liddfolf.exe 86 PID 2544 wrote to memory of 2772 2544 Lpnlbi32.exe 87 PID 2544 wrote to memory of 2772 2544 Lpnlbi32.exe 87 PID 2544 wrote to memory of 2772 2544 Lpnlbi32.exe 87 PID 2772 wrote to memory of 4152 2772 Lekekp32.exe 88 PID 2772 wrote to memory of 4152 2772 Lekekp32.exe 88 PID 2772 wrote to memory of 4152 2772 Lekekp32.exe 88 PID 4152 wrote to memory of 4872 4152 Llemgj32.exe 89 PID 4152 wrote to memory of 4872 4152 Llemgj32.exe 89 PID 4152 wrote to memory of 4872 4152 Llemgj32.exe 89 PID 4872 wrote to memory of 3052 4872 Ldlehg32.exe 90 PID 4872 wrote to memory of 3052 4872 Ldlehg32.exe 90 PID 4872 wrote to memory of 3052 4872 Ldlehg32.exe 90 PID 3052 wrote to memory of 4724 3052 Mgjadb32.exe 91 PID 3052 wrote to memory of 4724 3052 Mgjadb32.exe 91 PID 3052 wrote to memory of 4724 3052 Mgjadb32.exe 91 PID 4724 wrote to memory of 1420 4724 Mlgjmi32.exe 92 PID 4724 wrote to memory of 1420 4724 Mlgjmi32.exe 92 PID 4724 wrote to memory of 1420 4724 Mlgjmi32.exe 92 PID 1420 wrote to memory of 3772 1420 Mdnang32.exe 93 PID 1420 wrote to memory of 3772 1420 Mdnang32.exe 93 PID 1420 wrote to memory of 3772 1420 Mdnang32.exe 93 PID 3772 wrote to memory of 4940 3772 Mcabjcoa.exe 94 PID 3772 wrote to memory of 4940 3772 Mcabjcoa.exe 94 PID 3772 wrote to memory of 4940 3772 Mcabjcoa.exe 94 PID 4940 wrote to memory of 764 4940 Mljfbiea.exe 95 PID 4940 wrote to memory of 764 4940 Mljfbiea.exe 95 PID 4940 wrote to memory of 764 4940 Mljfbiea.exe 95 PID 764 wrote to memory of 2988 764 Mdqncffd.exe 96 PID 764 wrote to memory of 2988 764 Mdqncffd.exe 96 PID 764 wrote to memory of 2988 764 Mdqncffd.exe 96 PID 2988 wrote to memory of 216 2988 Mebkko32.exe 97 PID 2988 wrote to memory of 216 2988 Mebkko32.exe 97 PID 2988 wrote to memory of 216 2988 Mebkko32.exe 97 PID 216 wrote to memory of 3152 216 Minglmdk.exe 98 PID 216 wrote to memory of 3152 216 Minglmdk.exe 98 PID 216 wrote to memory of 3152 216 Minglmdk.exe 98 PID 3152 wrote to memory of 700 3152 Mllchico.exe 99 PID 3152 wrote to memory of 700 3152 Mllchico.exe 99 PID 3152 wrote to memory of 700 3152 Mllchico.exe 99 PID 700 wrote to memory of 2164 700 Mpgoig32.exe 100 PID 700 wrote to memory of 2164 700 Mpgoig32.exe 100 PID 700 wrote to memory of 2164 700 Mpgoig32.exe 100 PID 2164 wrote to memory of 4844 2164 Mgageace.exe 101 PID 2164 wrote to memory of 4844 2164 Mgageace.exe 101 PID 2164 wrote to memory of 4844 2164 Mgageace.exe 101 PID 4844 wrote to memory of 3916 4844 Medgan32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe"C:\Users\Admin\AppData\Local\Temp\33e362f952f8b8bde511641f1c0ce00fbe0161741348aaa078ad28bd90643a02.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ldeohh32.exeC:\Windows\system32\Ldeohh32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Libgpooi.exeC:\Windows\system32\Libgpooi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Llpcljnl.exeC:\Windows\system32\Llpcljnl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Ldgkmhno.exeC:\Windows\system32\Ldgkmhno.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Liddfolf.exeC:\Windows\system32\Liddfolf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Lpnlbi32.exeC:\Windows\system32\Lpnlbi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Ldlehg32.exeC:\Windows\system32\Ldlehg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Mgjadb32.exeC:\Windows\system32\Mgjadb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Mlgjmi32.exeC:\Windows\system32\Mlgjmi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Mdnang32.exeC:\Windows\system32\Mdnang32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Mdqncffd.exeC:\Windows\system32\Mdqncffd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Mebkko32.exeC:\Windows\system32\Mebkko32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Mllchico.exeC:\Windows\system32\Mllchico.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Mpgoig32.exeC:\Windows\system32\Mpgoig32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Medgan32.exeC:\Windows\system32\Medgan32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe23⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Ndhdde32.exeC:\Windows\system32\Ndhdde32.exe25⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe26⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Njgjbllq.exeC:\Windows\system32\Njgjbllq.exe27⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe28⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Nnebhj32.exeC:\Windows\system32\Nnebhj32.exe29⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe30⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe32⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe33⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe34⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe35⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe36⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ojplhkdf.exeC:\Windows\system32\Ojplhkdf.exe37⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe38⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe39⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe40⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe41⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe42⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe43⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe44⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Ogifmn32.exeC:\Windows\system32\Ogifmn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe47⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Odmgfb32.exeC:\Windows\system32\Odmgfb32.exe48⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Ogkcbn32.exeC:\Windows\system32\Ogkcbn32.exe49⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe50⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Pdoclbla.exeC:\Windows\system32\Pdoclbla.exe51⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe52⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe54⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Pnjejgpo.exeC:\Windows\system32\Pnjejgpo.exe55⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pddmga32.exeC:\Windows\system32\Pddmga32.exe56⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe57⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Pmoakd32.exeC:\Windows\system32\Pmoakd32.exe58⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Pcijhnld.exeC:\Windows\system32\Pcijhnld.exe59⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe61⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe62⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe63⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Qflpoi32.exeC:\Windows\system32\Qflpoi32.exe65⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe66⤵PID:4752
-
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe67⤵PID:3568
-
C:\Windows\SysWOW64\Qjjheg32.exeC:\Windows\system32\Qjjheg32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1000 -
C:\Windows\SysWOW64\Anedfffb.exeC:\Windows\system32\Anedfffb.exe69⤵PID:4800
-
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Anhaledo.exeC:\Windows\system32\Anhaledo.exe72⤵PID:3004
-
C:\Windows\SysWOW64\Aceidl32.exeC:\Windows\system32\Aceidl32.exe73⤵PID:2168
-
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe74⤵PID:1104
-
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe75⤵PID:2540
-
C:\Windows\SysWOW64\Aedfnoii.exeC:\Windows\system32\Aedfnoii.exe76⤵PID:3088
-
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe77⤵PID:4164
-
C:\Windows\SysWOW64\Ampkbagd.exeC:\Windows\system32\Ampkbagd.exe78⤵PID:3260
-
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe79⤵PID:3512
-
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe80⤵PID:2384
-
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe81⤵PID:3424
-
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe83⤵PID:3092
-
C:\Windows\SysWOW64\Bgjhkjbe.exeC:\Windows\system32\Bgjhkjbe.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe85⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Bcqipk32.exeC:\Windows\system32\Bcqipk32.exe86⤵PID:1228
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5056 -
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe88⤵PID:1400
-
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe89⤵PID:688
-
C:\Windows\SysWOW64\Bnhjbcfl.exeC:\Windows\system32\Bnhjbcfl.exe90⤵PID:4324
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe91⤵PID:3608
-
C:\Windows\SysWOW64\Bebbom32.exeC:\Windows\system32\Bebbom32.exe92⤵
- Modifies registry class
PID:4948 -
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe93⤵PID:1596
-
C:\Windows\SysWOW64\Bnkfhcdj.exeC:\Windows\system32\Bnkfhcdj.exe94⤵
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Beeodm32.exeC:\Windows\system32\Beeodm32.exe95⤵PID:396
-
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe96⤵PID:4020
-
C:\Windows\SysWOW64\Cjagmd32.exeC:\Windows\system32\Cjagmd32.exe97⤵PID:4276
-
C:\Windows\SysWOW64\Cmpcioha.exeC:\Windows\system32\Cmpcioha.exe98⤵PID:3472
-
C:\Windows\SysWOW64\Ccjlfi32.exeC:\Windows\system32\Ccjlfi32.exe99⤵PID:3048
-
C:\Windows\SysWOW64\Cjddbcgk.exeC:\Windows\system32\Cjddbcgk.exe100⤵PID:1812
-
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4840 -
C:\Windows\SysWOW64\Ceihplga.exeC:\Windows\system32\Ceihplga.exe102⤵PID:2652
-
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe103⤵PID:4000
-
C:\Windows\SysWOW64\Cjfqhcei.exeC:\Windows\system32\Cjfqhcei.exe104⤵PID:3704
-
C:\Windows\SysWOW64\Celeel32.exeC:\Windows\system32\Celeel32.exe105⤵PID:2820
-
C:\Windows\SysWOW64\Cdoeaili.exeC:\Windows\system32\Cdoeaili.exe106⤵PID:4736
-
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe107⤵PID:4548
-
C:\Windows\SysWOW64\Cmgjjn32.exeC:\Windows\system32\Cmgjjn32.exe108⤵PID:1268
-
C:\Windows\SysWOW64\Cdabfhjf.exeC:\Windows\system32\Cdabfhjf.exe109⤵PID:736
-
C:\Windows\SysWOW64\Cfonbdij.exeC:\Windows\system32\Cfonbdij.exe110⤵PID:3800
-
C:\Windows\SysWOW64\Cepnqkai.exeC:\Windows\system32\Cepnqkai.exe111⤵PID:2696
-
C:\Windows\SysWOW64\Cdcolh32.exeC:\Windows\system32\Cdcolh32.exe112⤵PID:3932
-
C:\Windows\SysWOW64\Dfakhc32.exeC:\Windows\system32\Dfakhc32.exe113⤵PID:5100
-
C:\Windows\SysWOW64\Dmlcennd.exeC:\Windows\system32\Dmlcennd.exe114⤵PID:3548
-
C:\Windows\SysWOW64\Ddekah32.exeC:\Windows\system32\Ddekah32.exe115⤵PID:4120
-
C:\Windows\SysWOW64\Dfdgnc32.exeC:\Windows\system32\Dfdgnc32.exe116⤵
- System Location Discovery: System Language Discovery
PID:4240 -
C:\Windows\SysWOW64\Djpcnbmn.exeC:\Windows\system32\Djpcnbmn.exe117⤵PID:3324
-
C:\Windows\SysWOW64\Deehkk32.exeC:\Windows\system32\Deehkk32.exe118⤵PID:4316
-
C:\Windows\SysWOW64\Dhcdhf32.exeC:\Windows\system32\Dhcdhf32.exe119⤵PID:4380
-
C:\Windows\SysWOW64\Dkbpda32.exeC:\Windows\system32\Dkbpda32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\SysWOW64\Dmpmpm32.exeC:\Windows\system32\Dmpmpm32.exe121⤵PID:5184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-