Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 11:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe
-
Size
64KB
-
MD5
edfb204778fb0342b5edd1592295aca0
-
SHA1
2425af30b41caa4533ba7d9361f37d5b36aacfcd
-
SHA256
5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97
-
SHA512
4b73c323a123e4795bfba5f5842cad5eb8507d092a5e2ad637d96a7a7e968769ad040d9a5b3ce68ecf9857caea95352f928bc249d1ac9d2c6e2986c000f6cdd7
-
SSDEEP
768:5N1IIy5uktkCqaYM44dcVevu8JLUN2tj1L2Tc/1H5Ggk6XJ1IwEGp9ThfzyYsHd:PqIy8TCqRH4dwr8JL/tgeFXUwXfzwd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjcmebie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boflmdkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcaofebg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keonap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahqddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcncpbmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflgmqhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphnlcdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnohn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcoai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oanfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjljpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jicdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afelhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objpoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blgifbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofgpikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmkigh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camddhoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpgckkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hginecde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhfpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmnmgnoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfdej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghklce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffmfadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beihma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnkonbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgpbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocdjpmac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkijdci.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3068 Odapnf32.exe 1348 Ogpmjb32.exe 4596 Ojoign32.exe 4032 Oddmdf32.exe 4592 Ogbipa32.exe 2696 Pmoahijl.exe 64 Pdfjifjo.exe 2912 Pgefeajb.exe 2832 Pnonbk32.exe 3076 Pqmjog32.exe 3228 Pggbkagp.exe 2476 Pjeoglgc.exe 4692 Pmdkch32.exe 3752 Pcncpbmd.exe 4352 Pflplnlg.exe 4520 Pncgmkmj.exe 4512 Pqbdjfln.exe 1460 Pgllfp32.exe 536 Pnfdcjkg.exe 3764 Pdpmpdbd.exe 1792 Pgnilpah.exe 1224 Qnhahj32.exe 2292 Qceiaa32.exe 5068 Ageolo32.exe 1548 Ajckij32.exe 3052 Ambgef32.exe 4856 Aeiofcji.exe 4504 Aclpap32.exe 2864 Anadoi32.exe 4108 Amddjegd.exe 3900 Aeklkchg.exe 4328 Afmhck32.exe 384 Andqdh32.exe 2276 Afoeiklb.exe 3184 Aminee32.exe 2152 Aadifclh.exe 3832 Bfabnjjp.exe 1912 Bjmnoi32.exe 1916 Bagflcje.exe 2096 Bganhm32.exe 220 Bnkgeg32.exe 208 Baicac32.exe 4556 Bchomn32.exe 2748 Bnmcjg32.exe 1200 Bgehcmmm.exe 756 Bnpppgdj.exe 4588 Beihma32.exe 3768 Bjfaeh32.exe 2768 Bmemac32.exe 408 Bcoenmao.exe 3964 Cfmajipb.exe 5084 Cndikf32.exe 4216 Cmgjgcgo.exe 2684 Cdabcm32.exe 4432 Cjkjpgfi.exe 4460 Caebma32.exe 1300 Chokikeb.exe 3708 Cmlcbbcj.exe 2848 Cfdhkhjj.exe 3928 Cdhhdlid.exe 4872 Cjbpaf32.exe 3456 Calhnpgn.exe 4956 Dhfajjoj.exe 4532 Djdmffnn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kjlopc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lggejg32.exe Process not Found File created C:\Windows\SysWOW64\Bdjinlko.dll Pmoahijl.exe File opened for modification C:\Windows\SysWOW64\Djhpgofm.exe Dfmcfp32.exe File created C:\Windows\SysWOW64\Mhfppabl.exe Malgcg32.exe File created C:\Windows\SysWOW64\Ajihlijd.dll Mglfplgk.exe File created C:\Windows\SysWOW64\Ibkgme32.dll Ojigdcll.exe File opened for modification C:\Windows\SysWOW64\Jgdhgmep.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Bfpjcbmh.dll Lhncdi32.exe File created C:\Windows\SysWOW64\Igqkqiai.exe Idbodn32.exe File opened for modification C:\Windows\SysWOW64\Ageolo32.exe Qceiaa32.exe File opened for modification C:\Windows\SysWOW64\Gingkqkd.exe Gfokoelp.exe File opened for modification C:\Windows\SysWOW64\Hkbmqb32.exe Hdhedh32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Fbjena32.exe File created C:\Windows\SysWOW64\Djnkap32.dll Qnhahj32.exe File opened for modification C:\Windows\SysWOW64\Nipekiep.exe Ngaionfl.exe File created C:\Windows\SysWOW64\Bihjfnmm.exe Bfjnjcni.exe File opened for modification C:\Windows\SysWOW64\Qcaofebg.exe Qkjgegae.exe File created C:\Windows\SysWOW64\Ccdnjp32.exe Ckmehb32.exe File opened for modification C:\Windows\SysWOW64\Oobfob32.exe Ojgjndno.exe File created C:\Windows\SysWOW64\Jeqbpb32.exe Jngjch32.exe File created C:\Windows\SysWOW64\Eokqkh32.exe Emmdom32.exe File created C:\Windows\SysWOW64\Pimocoao.dll Hfklhhcl.exe File created C:\Windows\SysWOW64\Mlnipg32.exe Miomdk32.exe File created C:\Windows\SysWOW64\Licfngjd.exe Lalnmiia.exe File created C:\Windows\SysWOW64\Ginnfgop.exe Gklnjj32.exe File opened for modification C:\Windows\SysWOW64\Jibmgi32.exe Jqlefl32.exe File opened for modification C:\Windows\SysWOW64\Lomqcjie.exe Process not Found File created C:\Windows\SysWOW64\Jbofpe32.dll Process not Found File created C:\Windows\SysWOW64\Bmhocd32.exe Process not Found File created C:\Windows\SysWOW64\Aadifclh.exe Aminee32.exe File created C:\Windows\SysWOW64\Bombmcec.exe Bmofagfp.exe File created C:\Windows\SysWOW64\Jofalmmp.exe Jmeede32.exe File opened for modification C:\Windows\SysWOW64\Opnbae32.exe Process not Found File created C:\Windows\SysWOW64\Ckmonl32.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Miiflecc.dll Jeqbpb32.exe File created C:\Windows\SysWOW64\Kbekqdjh.exe Khpgckkb.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Ebgpad32.exe File created C:\Windows\SysWOW64\Legokici.dll Nlfelogp.exe File opened for modification C:\Windows\SysWOW64\Hnfamjqg.exe Hkhdqoac.exe File opened for modification C:\Windows\SysWOW64\Aglnbhal.exe Aodfajaj.exe File created C:\Windows\SysWOW64\Ifhahnbj.dll Glgjlm32.exe File created C:\Windows\SysWOW64\Lhlndcmq.dll Hgmgqc32.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe Bomkcm32.exe File opened for modification C:\Windows\SysWOW64\Niniei32.exe Ngomin32.exe File opened for modification C:\Windows\SysWOW64\Efccmidp.exe Ecefqnel.exe File created C:\Windows\SysWOW64\Dgeofeib.dll Oalipoiq.exe File created C:\Windows\SysWOW64\Jcdjbk32.exe Jpenfp32.exe File opened for modification C:\Windows\SysWOW64\Gbeejp32.exe Gpgind32.exe File created C:\Windows\SysWOW64\Gbmingjo.exe Gpnmbl32.exe File opened for modification C:\Windows\SysWOW64\Gikkfqmf.exe Gfmojenc.exe File created C:\Windows\SysWOW64\Njmhhefi.exe Nhokljge.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bomkcm32.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Eoideh32.exe File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File created C:\Windows\SysWOW64\Klcekpdo.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Lbchba32.exe Lhncdi32.exe File opened for modification C:\Windows\SysWOW64\Mniallpq.exe Mjneln32.exe File opened for modification C:\Windows\SysWOW64\Obcceg32.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Ffclcgfn.exe Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Ibffdoal.dll Ocffempp.exe File created C:\Windows\SysWOW64\Glienb32.dll Eciplm32.exe File created C:\Windows\SysWOW64\Pccopc32.dll Hbohpn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7976 7784 Process not Found 1269 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqpbglno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edknqiho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaqhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaicd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oogpjbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfamjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jicdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jieagojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmcdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cimcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplgeokq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idahjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigonjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeboaob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opemca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdaepai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdaodja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpgckkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biadeoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbbcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejgch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfjifjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecjif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkgeg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikbocki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nojanpej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbjmd32.dll" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdcpk32.dll" Phelcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjkfjbc.dll" Omcjep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqhajknb.dll" Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll" Fiodpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikcdlmgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfnodb.dll" Dfefkkqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amddjegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlnipg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacibgbo.dll" Nhbfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khmknk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnchkf32.dll" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbcpja32.dll" Bopocbcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glldgljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnnikdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgjopal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcjep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcbhah32.dll" Cdecgbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dddhpjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdbei32.dll" Jngjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjlic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdecgbfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiagakg.dll" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlokmha.dll" Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gilapgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphqhffa.dll" Oocddono.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 3068 2144 5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe 83 PID 2144 wrote to memory of 3068 2144 5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe 83 PID 2144 wrote to memory of 3068 2144 5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe 83 PID 3068 wrote to memory of 1348 3068 Odapnf32.exe 84 PID 3068 wrote to memory of 1348 3068 Odapnf32.exe 84 PID 3068 wrote to memory of 1348 3068 Odapnf32.exe 84 PID 1348 wrote to memory of 4596 1348 Ogpmjb32.exe 85 PID 1348 wrote to memory of 4596 1348 Ogpmjb32.exe 85 PID 1348 wrote to memory of 4596 1348 Ogpmjb32.exe 85 PID 4596 wrote to memory of 4032 4596 Ojoign32.exe 86 PID 4596 wrote to memory of 4032 4596 Ojoign32.exe 86 PID 4596 wrote to memory of 4032 4596 Ojoign32.exe 86 PID 4032 wrote to memory of 4592 4032 Oddmdf32.exe 87 PID 4032 wrote to memory of 4592 4032 Oddmdf32.exe 87 PID 4032 wrote to memory of 4592 4032 Oddmdf32.exe 87 PID 4592 wrote to memory of 2696 4592 Ogbipa32.exe 88 PID 4592 wrote to memory of 2696 4592 Ogbipa32.exe 88 PID 4592 wrote to memory of 2696 4592 Ogbipa32.exe 88 PID 2696 wrote to memory of 64 2696 Pmoahijl.exe 89 PID 2696 wrote to memory of 64 2696 Pmoahijl.exe 89 PID 2696 wrote to memory of 64 2696 Pmoahijl.exe 89 PID 64 wrote to memory of 2912 64 Pdfjifjo.exe 90 PID 64 wrote to memory of 2912 64 Pdfjifjo.exe 90 PID 64 wrote to memory of 2912 64 Pdfjifjo.exe 90 PID 2912 wrote to memory of 2832 2912 Pgefeajb.exe 91 PID 2912 wrote to memory of 2832 2912 Pgefeajb.exe 91 PID 2912 wrote to memory of 2832 2912 Pgefeajb.exe 91 PID 2832 wrote to memory of 3076 2832 Pnonbk32.exe 92 PID 2832 wrote to memory of 3076 2832 Pnonbk32.exe 92 PID 2832 wrote to memory of 3076 2832 Pnonbk32.exe 92 PID 3076 wrote to memory of 3228 3076 Pqmjog32.exe 93 PID 3076 wrote to memory of 3228 3076 Pqmjog32.exe 93 PID 3076 wrote to memory of 3228 3076 Pqmjog32.exe 93 PID 3228 wrote to memory of 2476 3228 Pggbkagp.exe 94 PID 3228 wrote to memory of 2476 3228 Pggbkagp.exe 94 PID 3228 wrote to memory of 2476 3228 Pggbkagp.exe 94 PID 2476 wrote to memory of 4692 2476 Pjeoglgc.exe 95 PID 2476 wrote to memory of 4692 2476 Pjeoglgc.exe 95 PID 2476 wrote to memory of 4692 2476 Pjeoglgc.exe 95 PID 4692 wrote to memory of 3752 4692 Pmdkch32.exe 96 PID 4692 wrote to memory of 3752 4692 Pmdkch32.exe 96 PID 4692 wrote to memory of 3752 4692 Pmdkch32.exe 96 PID 3752 wrote to memory of 4352 3752 Pcncpbmd.exe 97 PID 3752 wrote to memory of 4352 3752 Pcncpbmd.exe 97 PID 3752 wrote to memory of 4352 3752 Pcncpbmd.exe 97 PID 4352 wrote to memory of 4520 4352 Pflplnlg.exe 98 PID 4352 wrote to memory of 4520 4352 Pflplnlg.exe 98 PID 4352 wrote to memory of 4520 4352 Pflplnlg.exe 98 PID 4520 wrote to memory of 4512 4520 Pncgmkmj.exe 99 PID 4520 wrote to memory of 4512 4520 Pncgmkmj.exe 99 PID 4520 wrote to memory of 4512 4520 Pncgmkmj.exe 99 PID 4512 wrote to memory of 1460 4512 Pqbdjfln.exe 100 PID 4512 wrote to memory of 1460 4512 Pqbdjfln.exe 100 PID 4512 wrote to memory of 1460 4512 Pqbdjfln.exe 100 PID 1460 wrote to memory of 536 1460 Pgllfp32.exe 101 PID 1460 wrote to memory of 536 1460 Pgllfp32.exe 101 PID 1460 wrote to memory of 536 1460 Pgllfp32.exe 101 PID 536 wrote to memory of 3764 536 Pnfdcjkg.exe 102 PID 536 wrote to memory of 3764 536 Pnfdcjkg.exe 102 PID 536 wrote to memory of 3764 536 Pnfdcjkg.exe 102 PID 3764 wrote to memory of 1792 3764 Pdpmpdbd.exe 103 PID 3764 wrote to memory of 1792 3764 Pdpmpdbd.exe 103 PID 3764 wrote to memory of 1792 3764 Pdpmpdbd.exe 103 PID 1792 wrote to memory of 1224 1792 Pgnilpah.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe"C:\Users\Admin\AppData\Local\Temp\5d3e6056e43e0991f224ae54edbfaf9984e2dd0d186ec86628fcffd1a83d7b97N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe25⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe26⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Aeiofcji.exeC:\Windows\system32\Aeiofcji.exe28⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe29⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe30⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:4108 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe32⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe33⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe34⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Afoeiklb.exeC:\Windows\system32\Afoeiklb.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Bfabnjjp.exeC:\Windows\system32\Bfabnjjp.exe38⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe39⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe40⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Bnkgeg32.exeC:\Windows\system32\Bnkgeg32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe43⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe44⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Bnmcjg32.exeC:\Windows\system32\Bnmcjg32.exe45⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Bgehcmmm.exeC:\Windows\system32\Bgehcmmm.exe46⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe47⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Beihma32.exeC:\Windows\system32\Beihma32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe49⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe50⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe51⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe52⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe53⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Cmgjgcgo.exeC:\Windows\system32\Cmgjgcgo.exe54⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe55⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe56⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe57⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe58⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe59⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe60⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe61⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe62⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe63⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe64⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe65⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe66⤵PID:2312
-
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe67⤵PID:4996
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe68⤵PID:3240
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe69⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe71⤵PID:3044
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe72⤵PID:3492
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe73⤵PID:396
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe75⤵PID:3744
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe76⤵PID:3508
-
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3944 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe78⤵PID:748
-
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe79⤵PID:2180
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe80⤵PID:440
-
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe81⤵PID:1232
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe82⤵PID:3036
-
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe83⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe84⤵PID:3244
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe85⤵PID:3920
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe86⤵PID:4340
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe87⤵PID:4868
-
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe88⤵PID:364
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe89⤵PID:3448
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe90⤵PID:3424
-
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe91⤵PID:1660
-
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe92⤵PID:3632
-
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe93⤵PID:3616
-
C:\Windows\SysWOW64\Fgbmccpg.exeC:\Windows\system32\Fgbmccpg.exe94⤵PID:3864
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe95⤵PID:2176
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe96⤵PID:4228
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe97⤵PID:2772
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe98⤵PID:2676
-
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe99⤵PID:2364
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe100⤵PID:2784
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe101⤵PID:1748
-
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe102⤵PID:2340
-
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe103⤵PID:3156
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe105⤵PID:912
-
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe106⤵PID:5132
-
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe107⤵PID:5176
-
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe108⤵PID:5220
-
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe109⤵PID:5264
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe110⤵PID:5308
-
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe111⤵PID:5352
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe113⤵PID:5440
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe114⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe115⤵PID:5524
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe116⤵PID:5568
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe117⤵PID:5612
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe118⤵PID:5656
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe119⤵PID:5700
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe120⤵PID:5744
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe121⤵PID:5788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-