Analysis
-
max time kernel
92s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe
-
Size
347KB
-
MD5
faa4a4caa376a54e8e941e7547f3b3a2
-
SHA1
32ddee8103268aaf69b5c6e7ba80b95f8e7d65e8
-
SHA256
5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad
-
SHA512
76c4a2c309ec9253fc1ba3997ac72347cc4734e505f935b853f05ecbee94ee8762819e319fac96835f012ad4da12a07809bbab545a35c1a1fc140368cc94d3d4
-
SSDEEP
6144:rUVQzH5Bx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:rRzDx4brRGFB24lwR45FB24lEk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflkpblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgdbnmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpkflfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiildjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapgdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pedbahod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idbodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckiihok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lndagg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpogkhnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdglmkeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojdgnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcpdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocjoadei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllagh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpjoloh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfagighf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgnkkbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjblf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdmein32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqoloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppolhcnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmbhoeid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcjqgnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Facqkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njpdnedf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obqanjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcqpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldipha32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2732 Ghpendjj.exe 4280 Hhgloc32.exe 2532 Hoadkn32.exe 3844 Hglipp32.exe 4600 Hdpiid32.exe 4500 Hgoeep32.exe 4856 Hdbfodfa.exe 1472 Ifbbig32.exe 4344 Iokgal32.exe 1820 Iickkbje.exe 5052 Ibkpcg32.exe 972 Ikcdlmgf.exe 772 Iigdfa32.exe 3964 Indmnh32.exe 4376 Iijaka32.exe 3640 Jngjch32.exe 2912 Jgonlm32.exe 4544 Jecofa32.exe 2356 Jkmgblok.exe 2216 Jnnpdg32.exe 5060 Jicdap32.exe 3180 Jejefqaf.exe 4924 Kpbfii32.exe 3300 Kngcje32.exe 3636 Keakgpko.exe 2504 Knlleepl.exe 3580 Lbjelc32.exe 2684 Llbidimc.exe 4536 Lfhnaa32.exe 3248 Lbnngbbn.exe 2752 Lpbopfag.exe 3424 Lhncdi32.exe 4804 Lbchba32.exe 4736 Mpghkf32.exe 3956 Mfaqhp32.exe 2204 Miomdk32.exe 3276 Mbhamajc.exe 1752 Mibijk32.exe 1956 Mbjnbqhp.exe 220 Mehjol32.exe 1984 Mpnnle32.exe 4136 Mfhfhong.exe 4680 Mleoafmn.exe 3976 Mfjcnold.exe 3308 Nlglfe32.exe 3472 Nbadcpbh.exe 1816 Nhnlkfpp.exe 1384 Npedmdab.exe 3068 Niniei32.exe 960 Ngaionfl.exe 4288 Nipekiep.exe 1148 Nomncpcg.exe 4560 Nheble32.exe 1880 Nplkmckj.exe 4392 Oidofh32.exe 2560 Opogbbig.exe 4332 Oekpkigo.exe 916 Olehhc32.exe 4992 Oenlqi32.exe 2268 Opcqnb32.exe 4024 Ogmijllo.exe 2256 Opemca32.exe 4260 Oebflhaf.exe 1168 Ohqbhdpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmaioi32.dll Dndnpf32.exe File opened for modification C:\Windows\SysWOW64\Jimldogg.exe Jbccge32.exe File created C:\Windows\SysWOW64\Ehmbndpm.dll Lbnngbbn.exe File created C:\Windows\SysWOW64\Pjajmpkj.dll Iggjga32.exe File opened for modification C:\Windows\SysWOW64\Jnjejjgh.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Heeeiopa.dll Cdpjlb32.exe File opened for modification C:\Windows\SysWOW64\Hmbphg32.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Bogkmgba.exe Bgpcliao.exe File created C:\Windows\SysWOW64\Pehngkcg.exe Pmaffnce.exe File created C:\Windows\SysWOW64\Mhanngbl.exe Mfbaalbi.exe File created C:\Windows\SysWOW64\Cbkfbcpb.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Eagaoh32.exe Dhomfc32.exe File created C:\Windows\SysWOW64\Hgghjjid.exe Hpmpnp32.exe File opened for modification C:\Windows\SysWOW64\Oimkbaed.exe Obcceg32.exe File created C:\Windows\SysWOW64\Dikihe32.exe Dbqqkkbo.exe File opened for modification C:\Windows\SysWOW64\Kqfngd32.exe Kmkbfeab.exe File created C:\Windows\SysWOW64\Mnfnlf32.exe Mglfplgk.exe File created C:\Windows\SysWOW64\Ambfbo32.dll Fnnjmbpm.exe File created C:\Windows\SysWOW64\Bdocph32.exe Bapgdm32.exe File opened for modification C:\Windows\SysWOW64\Olehhc32.exe Oekpkigo.exe File created C:\Windows\SysWOW64\Dpmcmd32.dll Ahfdjanb.exe File opened for modification C:\Windows\SysWOW64\Kjkpoq32.exe Kijchhbo.exe File created C:\Windows\SysWOW64\Miaboe32.exe Mbgjbkfg.exe File created C:\Windows\SysWOW64\Ekcgkb32.exe Eiekog32.exe File created C:\Windows\SysWOW64\Hecjke32.exe Hbenoi32.exe File opened for modification C:\Windows\SysWOW64\Hnphoj32.exe Hhfpbpdo.exe File created C:\Windows\SysWOW64\Dilcjbag.dll Babcil32.exe File opened for modification C:\Windows\SysWOW64\Hffken32.exe Hoobdp32.exe File created C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Mfqlfb32.exe Mqdcnl32.exe File created C:\Windows\SysWOW64\Lpghll32.dll Oakbehfe.exe File opened for modification C:\Windows\SysWOW64\Conanfli.exe Cpmapodj.exe File created C:\Windows\SysWOW64\Gegkpf32.exe Gokbgpeg.exe File created C:\Windows\SysWOW64\Pneclb32.dll Gbbajjlp.exe File created C:\Windows\SysWOW64\Aanpie32.dll Qjhbfd32.exe File opened for modification C:\Windows\SysWOW64\Eiildjag.exe Ehhpla32.exe File opened for modification C:\Windows\SysWOW64\Ihphkl32.exe Iqipio32.exe File created C:\Windows\SysWOW64\Glldgljg.exe Gingkqkd.exe File created C:\Windows\SysWOW64\Eegiklal.dll Mcecjmkl.exe File created C:\Windows\SysWOW64\Iefphb32.exe Ipihpkkd.exe File created C:\Windows\SysWOW64\Njfkbf32.dll Lbngllob.exe File created C:\Windows\SysWOW64\Dbndfl32.exe Dfgcakon.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hlglidlo.exe File opened for modification C:\Windows\SysWOW64\Ggkqgaol.exe Gaqhjggp.exe File created C:\Windows\SysWOW64\Cnjpknni.dll Gfmojenc.exe File created C:\Windows\SysWOW64\Ilafiihp.exe Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Clgbmp32.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Jdblhj32.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Bpnihiio.exe Bjaqpbkh.exe File created C:\Windows\SysWOW64\Bmpdfl32.dll Cglgjeci.exe File created C:\Windows\SysWOW64\Oilbhkaa.dll Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Plpqil32.exe Pefhlaie.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Bhkfkmmg.exe File opened for modification C:\Windows\SysWOW64\Fgmdec32.exe Fqbliicp.exe File opened for modification C:\Windows\SysWOW64\Gokbgpeg.exe Fgcjfbed.exe File created C:\Windows\SysWOW64\Ilphdlqh.exe Iialhaad.exe File opened for modification C:\Windows\SysWOW64\Lhqefjpo.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Noloin32.dll Mehjol32.exe File opened for modification C:\Windows\SysWOW64\Dgejpd32.exe Dcjnoece.exe File created C:\Windows\SysWOW64\Lbngllob.exe Lghcocol.exe File created C:\Windows\SysWOW64\Eomffaag.exe Eqlfhjig.exe File created C:\Windows\SysWOW64\Bomkcm32.exe Blnoga32.exe File created C:\Windows\SysWOW64\Ifomll32.exe Ipeeobbe.exe File created C:\Windows\SysWOW64\Kpbfii32.exe Jejefqaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8580 9064 WerFault.exe 1069 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caghhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgomnai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgonlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloahhki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheekkjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomffaag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dannij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiioonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcoccc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgnkkbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giinpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnbicff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfpbpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphnlcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeodhjmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimmifgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgdcipq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhfhong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipbdikp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finnef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjiao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbalopbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbjfjci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpendjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpiecd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojkeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damfao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piphgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkkhbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdgcpaf.dll" Olehhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklaah32.dll" Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iggaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmafqb32.dll" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfhfhong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll" Kofdhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfhfhong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acilajpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Fphnlcdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjigamma.dll" Jglklggl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcddcbab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneclb32.dll" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokknfec.dll" Hglipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jngjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ploknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinlh32.dll" Fdglmkeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ahdged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgkjlmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Banjnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Napjdpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmpmnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhnlkfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oebflhaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ophjiaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfdbb32.dll" Mleoafmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdgdn32.dll" Nhnlkfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll" Ocdnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbdlop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndflak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjknojbk.dll" Qkipkani.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkdoago.dll" Inainbcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nahgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhocin32.dll" Ajndioga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lddgmbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibjqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feenjgfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nfnamjhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cancekeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfcqpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aanbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdaociml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbfldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inmpcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" Fneggdhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mqimikfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2732 2860 5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe 83 PID 2860 wrote to memory of 2732 2860 5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe 83 PID 2860 wrote to memory of 2732 2860 5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe 83 PID 2732 wrote to memory of 4280 2732 Ghpendjj.exe 84 PID 2732 wrote to memory of 4280 2732 Ghpendjj.exe 84 PID 2732 wrote to memory of 4280 2732 Ghpendjj.exe 84 PID 4280 wrote to memory of 2532 4280 Hhgloc32.exe 85 PID 4280 wrote to memory of 2532 4280 Hhgloc32.exe 85 PID 4280 wrote to memory of 2532 4280 Hhgloc32.exe 85 PID 2532 wrote to memory of 3844 2532 Hoadkn32.exe 86 PID 2532 wrote to memory of 3844 2532 Hoadkn32.exe 86 PID 2532 wrote to memory of 3844 2532 Hoadkn32.exe 86 PID 3844 wrote to memory of 4600 3844 Hglipp32.exe 87 PID 3844 wrote to memory of 4600 3844 Hglipp32.exe 87 PID 3844 wrote to memory of 4600 3844 Hglipp32.exe 87 PID 4600 wrote to memory of 4500 4600 Hdpiid32.exe 88 PID 4600 wrote to memory of 4500 4600 Hdpiid32.exe 88 PID 4600 wrote to memory of 4500 4600 Hdpiid32.exe 88 PID 4500 wrote to memory of 4856 4500 Hgoeep32.exe 89 PID 4500 wrote to memory of 4856 4500 Hgoeep32.exe 89 PID 4500 wrote to memory of 4856 4500 Hgoeep32.exe 89 PID 4856 wrote to memory of 1472 4856 Hdbfodfa.exe 90 PID 4856 wrote to memory of 1472 4856 Hdbfodfa.exe 90 PID 4856 wrote to memory of 1472 4856 Hdbfodfa.exe 90 PID 1472 wrote to memory of 4344 1472 Ifbbig32.exe 91 PID 1472 wrote to memory of 4344 1472 Ifbbig32.exe 91 PID 1472 wrote to memory of 4344 1472 Ifbbig32.exe 91 PID 4344 wrote to memory of 1820 4344 Iokgal32.exe 92 PID 4344 wrote to memory of 1820 4344 Iokgal32.exe 92 PID 4344 wrote to memory of 1820 4344 Iokgal32.exe 92 PID 1820 wrote to memory of 5052 1820 Iickkbje.exe 93 PID 1820 wrote to memory of 5052 1820 Iickkbje.exe 93 PID 1820 wrote to memory of 5052 1820 Iickkbje.exe 93 PID 5052 wrote to memory of 972 5052 Ibkpcg32.exe 94 PID 5052 wrote to memory of 972 5052 Ibkpcg32.exe 94 PID 5052 wrote to memory of 972 5052 Ibkpcg32.exe 94 PID 972 wrote to memory of 772 972 Ikcdlmgf.exe 95 PID 972 wrote to memory of 772 972 Ikcdlmgf.exe 95 PID 972 wrote to memory of 772 972 Ikcdlmgf.exe 95 PID 772 wrote to memory of 3964 772 Iigdfa32.exe 96 PID 772 wrote to memory of 3964 772 Iigdfa32.exe 96 PID 772 wrote to memory of 3964 772 Iigdfa32.exe 96 PID 3964 wrote to memory of 4376 3964 Indmnh32.exe 97 PID 3964 wrote to memory of 4376 3964 Indmnh32.exe 97 PID 3964 wrote to memory of 4376 3964 Indmnh32.exe 97 PID 4376 wrote to memory of 3640 4376 Iijaka32.exe 98 PID 4376 wrote to memory of 3640 4376 Iijaka32.exe 98 PID 4376 wrote to memory of 3640 4376 Iijaka32.exe 98 PID 3640 wrote to memory of 2912 3640 Jngjch32.exe 99 PID 3640 wrote to memory of 2912 3640 Jngjch32.exe 99 PID 3640 wrote to memory of 2912 3640 Jngjch32.exe 99 PID 2912 wrote to memory of 4544 2912 Jgonlm32.exe 100 PID 2912 wrote to memory of 4544 2912 Jgonlm32.exe 100 PID 2912 wrote to memory of 4544 2912 Jgonlm32.exe 100 PID 4544 wrote to memory of 2356 4544 Jecofa32.exe 101 PID 4544 wrote to memory of 2356 4544 Jecofa32.exe 101 PID 4544 wrote to memory of 2356 4544 Jecofa32.exe 101 PID 2356 wrote to memory of 2216 2356 Jkmgblok.exe 102 PID 2356 wrote to memory of 2216 2356 Jkmgblok.exe 102 PID 2356 wrote to memory of 2216 2356 Jkmgblok.exe 102 PID 2216 wrote to memory of 5060 2216 Jnnpdg32.exe 103 PID 2216 wrote to memory of 5060 2216 Jnnpdg32.exe 103 PID 2216 wrote to memory of 5060 2216 Jnnpdg32.exe 103 PID 5060 wrote to memory of 3180 5060 Jicdap32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe"C:\Users\Admin\AppData\Local\Temp\5f03871c126bcbecdddbc5a527ae2dd3da53b64a65623d77d17d9f23f645f8ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe24⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe25⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Keakgpko.exeC:\Windows\system32\Keakgpko.exe26⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Knlleepl.exeC:\Windows\system32\Knlleepl.exe27⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe28⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe29⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe30⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe32⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe33⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe34⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe35⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe36⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe37⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe38⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe39⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Mpnnle32.exeC:\Windows\system32\Mpnnle32.exe42⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4136 -
C:\Windows\SysWOW64\Mleoafmn.exeC:\Windows\system32\Mleoafmn.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe45⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe46⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe47⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe49⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe50⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe52⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe53⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nheble32.exeC:\Windows\system32\Nheble32.exe54⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Nplkmckj.exeC:\Windows\system32\Nplkmckj.exe55⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe56⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Oenlqi32.exeC:\Windows\system32\Oenlqi32.exe60⤵
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Opcqnb32.exeC:\Windows\system32\Opcqnb32.exe61⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe62⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe63⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4260 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe66⤵
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4192 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe68⤵
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe69⤵PID:3596
-
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe70⤵PID:4732
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe71⤵PID:1236
-
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe72⤵PID:1840
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe73⤵PID:4016
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe74⤵PID:4220
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe75⤵PID:4340
-
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe76⤵PID:1548
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe77⤵PID:1360
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe78⤵PID:1684
-
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe79⤵PID:2792
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe80⤵PID:1240
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe81⤵PID:1972
-
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe82⤵PID:720
-
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe83⤵PID:2020
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe84⤵PID:1308
-
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe85⤵
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe86⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe87⤵PID:4896
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe88⤵PID:1680
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe89⤵PID:2988
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe90⤵PID:4800
-
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe91⤵PID:3104
-
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe92⤵PID:1700
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe93⤵PID:2180
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe94⤵PID:1936
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe95⤵PID:5080
-
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe96⤵PID:3568
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe97⤵PID:216
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe98⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe99⤵PID:4768
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe100⤵PID:4688
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe101⤵PID:3452
-
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe102⤵PID:3576
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe103⤵PID:4028
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe104⤵PID:2764
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe106⤵PID:4540
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe107⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe108⤵PID:4944
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe109⤵PID:5136
-
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe110⤵PID:5204
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe111⤵PID:5264
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe112⤵PID:5312
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe114⤵PID:5432
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe116⤵PID:5568
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe117⤵PID:5612
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe118⤵PID:5664
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe119⤵PID:5708
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe120⤵PID:5764
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe121⤵PID:5812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-