Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe
-
Size
72KB
-
MD5
78dce6518ea460886fa5f6bba65d70d0
-
SHA1
935123e7706d28f3d4abe6f6bd8bb27b4a1393b1
-
SHA256
26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157a
-
SHA512
a8aaf08be354d9b86203fec0794f0befe52b3f473cb38b6094b0760649f97dc0b4e8b48ff27b568e975280d6bf1f27c2ce8201fdb60a0bded5b30da7dad4a46e
-
SSDEEP
1536:/SP8JGXF7E+PHGbVjlZNfq6meJQK2LA6+lWCWQ6:qUQw+PHe9jNfqiwA6+bWQ6
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnibokbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpffeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjgaoqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpcliao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efblbbqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojedapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblijebc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjijgq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmcdffmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkbjqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggcfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajqgidij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghklce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kageaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmconhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglgjeci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhicpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjliajmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cleegp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekiohclf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qachgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackbmcjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4856 Ajanck32.exe 636 Adgbpc32.exe 3924 Ageolo32.exe 4768 Ambgef32.exe 2256 Aclpap32.exe 4232 Anadoi32.exe 1112 Acnlgp32.exe 1672 Afmhck32.exe 3708 Aabmqd32.exe 4260 Acqimo32.exe 4728 Anfmjhmd.exe 4616 Aadifclh.exe 4704 Agoabn32.exe 5016 Bnhjohkb.exe 3820 Bagflcje.exe 4752 Bfdodjhm.exe 3800 Bnkgeg32.exe 2232 Beeoaapl.exe 2648 Bjagjhnc.exe 3624 Bmpcfdmg.exe 3520 Beglgani.exe 756 Bnpppgdj.exe 1692 Beihma32.exe 2840 Bfkedibe.exe 5044 Bapiabak.exe 4668 Bcoenmao.exe 2964 Cfmajipb.exe 4504 Cndikf32.exe 1348 Chmndlge.exe 740 Cjkjpgfi.exe 4116 Ceqnmpfo.exe 3532 Cfbkeh32.exe 184 Cjmgfgdf.exe 672 Cagobalc.exe 3592 Cdfkolkf.exe 3956 Cnkplejl.exe 2720 Cdhhdlid.exe 2136 Cnnlaehj.exe 2188 Dmcibama.exe 5024 Dejacond.exe 2516 Djgjlelk.exe 324 Dobfld32.exe 208 Dhkjej32.exe 1424 Edhakj32.exe 3860 Eggmge32.exe 5040 Eehnem32.exe 4924 Ekefmc32.exe 1176 Eaonjngh.exe 3588 Edmjfifl.exe 2076 Eglgbdep.exe 4640 Emeoooml.exe 3148 Eemgplno.exe 2344 Ehkclgmb.exe 884 Ekiohclf.exe 2064 Emhldnkj.exe 1204 Fdbdah32.exe 4832 Fgppmd32.exe 3760 Fafdkmap.exe 2332 Fojedapj.exe 3932 Folaiqng.exe 2272 Fefjfked.exe 380 Fnaokmco.exe 4844 Famjkl32.exe 2688 Foqkdp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Modgdicm.exe Lncjlq32.exe File created C:\Windows\SysWOW64\Efmolq32.dll Adgbpc32.exe File created C:\Windows\SysWOW64\Lbcnlf32.dll Aihaoqlp.exe File created C:\Windows\SysWOW64\Gigmlgok.dll Ijadbdoj.exe File created C:\Windows\SysWOW64\Kaehljpj.exe Kjkpoq32.exe File created C:\Windows\SysWOW64\Jnlbojee.exe Jgbjbp32.exe File created C:\Windows\SysWOW64\Edhakj32.exe Dhkjej32.exe File created C:\Windows\SysWOW64\Ifhahnbj.dll Glgjlm32.exe File opened for modification C:\Windows\SysWOW64\Cnfaohbj.exe Cleegp32.exe File created C:\Windows\SysWOW64\Ccbolagk.dll Gbbajjlp.exe File created C:\Windows\SysWOW64\Phigif32.exe Pejkmk32.exe File created C:\Windows\SysWOW64\Cndeii32.exe Coadnlnb.exe File created C:\Windows\SysWOW64\Oifppdpd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lmdnbn32.exe File opened for modification C:\Windows\SysWOW64\Dmcibama.exe Cnnlaehj.exe File created C:\Windows\SysWOW64\Ogfcjm32.exe Nookip32.exe File created C:\Windows\SysWOW64\Efdjgo32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Palbkhoj.dll Olijhmgj.exe File created C:\Windows\SysWOW64\Bohbhmfm.exe Bdbnjdfg.exe File opened for modification C:\Windows\SysWOW64\Chnbbqpn.exe Cfpffeaj.exe File opened for modification C:\Windows\SysWOW64\Djklmo32.exe Dhlpqc32.exe File opened for modification C:\Windows\SysWOW64\Ckmehb32.exe Cjliajmo.exe File created C:\Windows\SysWOW64\Plopnh32.dll Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Llnnmhfe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Aaiimadl.exe File opened for modification C:\Windows\SysWOW64\Hblkjo32.exe Hlbcnd32.exe File created C:\Windows\SysWOW64\Iaejqcdo.dll Process not Found File created C:\Windows\SysWOW64\Mapppn32.exe Process not Found File created C:\Windows\SysWOW64\Kkgiimng.exe Kcpahpmd.exe File created C:\Windows\SysWOW64\Bkgppbgc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dgdncplk.exe Process not Found File created C:\Windows\SysWOW64\Fhgmqghl.dll Process not Found File created C:\Windows\SysWOW64\Jlacji32.dll Epjajeqo.exe File created C:\Windows\SysWOW64\Qemhbj32.exe Qaalblgi.exe File created C:\Windows\SysWOW64\Nlnhqepf.dll Eblimcdf.exe File created C:\Windows\SysWOW64\Iikmbh32.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Jchdqkfl.dll Nnhmnn32.exe File opened for modification C:\Windows\SysWOW64\Folaiqng.exe Fojedapj.exe File created C:\Windows\SysWOW64\Gbdqegoi.dll Ojgjndno.exe File created C:\Windows\SysWOW64\Ifolcq32.dll Mfnoqc32.exe File created C:\Windows\SysWOW64\Aafjpc32.dll Process not Found File created C:\Windows\SysWOW64\Pebndcpg.dll Hhiajmod.exe File created C:\Windows\SysWOW64\Phmgghbe.dll Hgnoki32.exe File created C:\Windows\SysWOW64\Mkfefigf.dll Qobhkjdi.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Cpbjkn32.exe File created C:\Windows\SysWOW64\Mdafpj32.dll Kcbnnpka.exe File created C:\Windows\SysWOW64\Nlfnaicd.exe Nelfeo32.exe File created C:\Windows\SysWOW64\Lfebfnqn.dll Gojiiafp.exe File created C:\Windows\SysWOW64\Lnijaa32.dll Iijaka32.exe File created C:\Windows\SysWOW64\Fimhjl32.exe Ffnknafg.exe File opened for modification C:\Windows\SysWOW64\Edoencdm.exe Process not Found File created C:\Windows\SysWOW64\Doogdl32.dll Nelfeo32.exe File opened for modification C:\Windows\SysWOW64\Ghojbq32.exe Gbbajjlp.exe File created C:\Windows\SysWOW64\Mkhpmopi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bapiabak.exe Bfkedibe.exe File created C:\Windows\SysWOW64\Iddljmpc.exe Iafonaao.exe File created C:\Windows\SysWOW64\Hlhccj32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Lqikmc32.exe Lklbdm32.exe File created C:\Windows\SysWOW64\Fbbicl32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Okjpkd32.dll Finnef32.exe File created C:\Windows\SysWOW64\Hhdhon32.exe Hnodaecc.exe File opened for modification C:\Windows\SysWOW64\Achegd32.exe Alnmjjdb.exe File created C:\Windows\SysWOW64\Ockkandf.dll Qdphngfl.exe File created C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7020 11528 Process not Found 1343 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnldla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idieem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadifclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfglfdkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badanigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enigke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmeoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poomegpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgjndno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhiemoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhdkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigonjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecefqnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flngfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigdfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelfeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbekqdjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjnbqhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhhcomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbcpja32.dll" Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doaneiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbbcpq.dll" Gdobnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhmqdemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leoghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgmpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fngbbg32.dll" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfcle32.dll" Bkoigdom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnjancb.dll" Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll" Lgdidgjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goljqnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihqiqn32.dll" Kaehljpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhjohkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kageaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgncmim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijkdmhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpkflfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" Fmcjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll" Apmhiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfjcdon.dll" Afkknogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmabggdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilapgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbdho32.dll" Nknobkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4856 4724 26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe 83 PID 4724 wrote to memory of 4856 4724 26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe 83 PID 4724 wrote to memory of 4856 4724 26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe 83 PID 4856 wrote to memory of 636 4856 Ajanck32.exe 84 PID 4856 wrote to memory of 636 4856 Ajanck32.exe 84 PID 4856 wrote to memory of 636 4856 Ajanck32.exe 84 PID 636 wrote to memory of 3924 636 Adgbpc32.exe 85 PID 636 wrote to memory of 3924 636 Adgbpc32.exe 85 PID 636 wrote to memory of 3924 636 Adgbpc32.exe 85 PID 3924 wrote to memory of 4768 3924 Ageolo32.exe 86 PID 3924 wrote to memory of 4768 3924 Ageolo32.exe 86 PID 3924 wrote to memory of 4768 3924 Ageolo32.exe 86 PID 4768 wrote to memory of 2256 4768 Ambgef32.exe 87 PID 4768 wrote to memory of 2256 4768 Ambgef32.exe 87 PID 4768 wrote to memory of 2256 4768 Ambgef32.exe 87 PID 2256 wrote to memory of 4232 2256 Aclpap32.exe 88 PID 2256 wrote to memory of 4232 2256 Aclpap32.exe 88 PID 2256 wrote to memory of 4232 2256 Aclpap32.exe 88 PID 4232 wrote to memory of 1112 4232 Anadoi32.exe 89 PID 4232 wrote to memory of 1112 4232 Anadoi32.exe 89 PID 4232 wrote to memory of 1112 4232 Anadoi32.exe 89 PID 1112 wrote to memory of 1672 1112 Acnlgp32.exe 90 PID 1112 wrote to memory of 1672 1112 Acnlgp32.exe 90 PID 1112 wrote to memory of 1672 1112 Acnlgp32.exe 90 PID 1672 wrote to memory of 3708 1672 Afmhck32.exe 91 PID 1672 wrote to memory of 3708 1672 Afmhck32.exe 91 PID 1672 wrote to memory of 3708 1672 Afmhck32.exe 91 PID 3708 wrote to memory of 4260 3708 Aabmqd32.exe 92 PID 3708 wrote to memory of 4260 3708 Aabmqd32.exe 92 PID 3708 wrote to memory of 4260 3708 Aabmqd32.exe 92 PID 4260 wrote to memory of 4728 4260 Acqimo32.exe 93 PID 4260 wrote to memory of 4728 4260 Acqimo32.exe 93 PID 4260 wrote to memory of 4728 4260 Acqimo32.exe 93 PID 4728 wrote to memory of 4616 4728 Anfmjhmd.exe 94 PID 4728 wrote to memory of 4616 4728 Anfmjhmd.exe 94 PID 4728 wrote to memory of 4616 4728 Anfmjhmd.exe 94 PID 4616 wrote to memory of 4704 4616 Aadifclh.exe 95 PID 4616 wrote to memory of 4704 4616 Aadifclh.exe 95 PID 4616 wrote to memory of 4704 4616 Aadifclh.exe 95 PID 4704 wrote to memory of 5016 4704 Agoabn32.exe 96 PID 4704 wrote to memory of 5016 4704 Agoabn32.exe 96 PID 4704 wrote to memory of 5016 4704 Agoabn32.exe 96 PID 5016 wrote to memory of 3820 5016 Bnhjohkb.exe 97 PID 5016 wrote to memory of 3820 5016 Bnhjohkb.exe 97 PID 5016 wrote to memory of 3820 5016 Bnhjohkb.exe 97 PID 3820 wrote to memory of 4752 3820 Bagflcje.exe 98 PID 3820 wrote to memory of 4752 3820 Bagflcje.exe 98 PID 3820 wrote to memory of 4752 3820 Bagflcje.exe 98 PID 4752 wrote to memory of 3800 4752 Bfdodjhm.exe 99 PID 4752 wrote to memory of 3800 4752 Bfdodjhm.exe 99 PID 4752 wrote to memory of 3800 4752 Bfdodjhm.exe 99 PID 3800 wrote to memory of 2232 3800 Bnkgeg32.exe 100 PID 3800 wrote to memory of 2232 3800 Bnkgeg32.exe 100 PID 3800 wrote to memory of 2232 3800 Bnkgeg32.exe 100 PID 2232 wrote to memory of 2648 2232 Beeoaapl.exe 101 PID 2232 wrote to memory of 2648 2232 Beeoaapl.exe 101 PID 2232 wrote to memory of 2648 2232 Beeoaapl.exe 101 PID 2648 wrote to memory of 3624 2648 Bjagjhnc.exe 102 PID 2648 wrote to memory of 3624 2648 Bjagjhnc.exe 102 PID 2648 wrote to memory of 3624 2648 Bjagjhnc.exe 102 PID 3624 wrote to memory of 3520 3624 Bmpcfdmg.exe 103 PID 3624 wrote to memory of 3520 3624 Bmpcfdmg.exe 103 PID 3624 wrote to memory of 3520 3624 Bmpcfdmg.exe 103 PID 3520 wrote to memory of 756 3520 Beglgani.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe"C:\Users\Admin\AppData\Local\Temp\26ecc6069b141761a8d0dc9ee2a9215526ac40f1551d71b8432b9253e01b157aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe23⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe24⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe26⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe27⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe28⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe29⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe30⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe31⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe33⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe34⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe35⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe36⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe37⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe38⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe41⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe42⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe43⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:208 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe45⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe46⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe47⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe48⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe49⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe50⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe51⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe52⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe53⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe54⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe57⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe58⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe59⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe61⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe62⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe63⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe64⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe65⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe66⤵PID:2636
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe67⤵PID:4300
-
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe68⤵PID:4996
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4212 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe71⤵PID:1580
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe72⤵PID:3696
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe73⤵PID:1168
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4700 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe76⤵PID:5112
-
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe77⤵
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe78⤵PID:2464
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe79⤵PID:1384
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe80⤵PID:4476
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe81⤵PID:376
-
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe82⤵PID:1460
-
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe83⤵PID:4176
-
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe84⤵
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe85⤵PID:4324
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe86⤵PID:5060
-
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe87⤵PID:772
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe88⤵PID:2592
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe89⤵PID:1936
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe90⤵PID:1928
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe91⤵PID:1500
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe92⤵PID:436
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe93⤵PID:1676
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe95⤵PID:4468
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe96⤵PID:4932
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe97⤵PID:1836
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe98⤵PID:956
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe100⤵PID:4760
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe101⤵PID:2152
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe102⤵
- Drops file in System32 directory
PID:5012 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe103⤵PID:4320
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe104⤵PID:2204
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe105⤵PID:4068
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe106⤵PID:1056
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe107⤵PID:1404
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe108⤵PID:372
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe109⤵PID:4380
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe110⤵
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe111⤵PID:4748
-
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe112⤵PID:1584
-
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe113⤵PID:4148
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe114⤵PID:1180
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe115⤵PID:5128
-
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe117⤵PID:5216
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe118⤵PID:5260
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe119⤵PID:5304
-
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe120⤵PID:5348
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe121⤵PID:5392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-