Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:18
Behavioral task
behavioral1
Sample
5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe
-
Size
582KB
-
MD5
cd617b776bdd84671a9b561cee5929f0
-
SHA1
ebb7a95cf741363f597402cd7391028b253aabd0
-
SHA256
5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87a
-
SHA512
70535ba741630e44d5900a394a5ad833852990a27eef6a08caa55ad52b0c87a5a2686935fb10489b7beae93283a0aabe7434b408690ffa3966c6d643ed2fd0ce
-
SSDEEP
6144:OTF5iN2q3p7+1bRtPcCrhCRkR/+MG7+1bRtPcCrhxPSHlV2Yj6egLCCGP7+1bRtF:OpqZYNrekcPYNrq6+gmCAYNrekcPYNrB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddbfkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkcmeboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njahob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjeqpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhagbfnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piohjlol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gboffb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdehaddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkokfg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbdcjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjmcanog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poejbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkilkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpmepok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobbioeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilbcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocmjlpfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmomoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbmhbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmeboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kndomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idlobcnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdicno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edemnodc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhamjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohbfiage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfbabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpicjhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikmmoloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giaahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiomieqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedjpdjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjcmhmdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlipja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knabhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnqngac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbqkomke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnkkckd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbkbdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iljpleib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnipeoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfgndmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efamdkei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpodom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhpfcio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cohbkhah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmdmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhgnnfno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpecefpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdkpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfioec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oimihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oolnfkoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnbobdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmpqkma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoaqhhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boflpoff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knlbbepp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3348 Lfckdcoe.exe 3536 Lmmcqn32.exe 1264 Ldjhcgll.exe 3288 Llemgj32.exe 2972 Mmdiamqj.exe 4520 Mepnfone.exe 928 Mgokpbeh.exe 3416 Mgageace.exe 4808 Mpjlngje.exe 3052 Mnnlgkho.exe 1468 Nidmml32.exe 2552 Nghmfqmm.exe 1328 Nconka32.exe 2636 Njifhljn.exe 2384 Njlcmk32.exe 396 Njnpck32.exe 3424 Ojplhkdf.exe 700 Ojbinjbc.exe 1792 Ogfjgo32.exe 4240 Ocmjlpfa.exe 1472 Odmgfb32.exe 4176 Omhlkeko.exe 3588 Pjlldiji.exe 1292 Pfcmij32.exe 1964 Pnlapgnl.exe 4552 Pgdfim32.exe 2308 Pggbnlbj.exe 4680 Qqoggb32.exe 1920 Qdmpmp32.exe 1772 Aqdqbaee.exe 2240 Acbmnmdi.exe 472 Agpedkjp.exe 3892 Acgfil32.exe 336 Anmjfe32.exe 2500 Aefbcogf.exe 3200 Afhokgme.exe 3848 Anogldng.exe 3856 Aclpdklo.exe 4332 Afjlqgkb.exe 1972 Beklnn32.exe 1616 Bjhdgeai.exe 3364 Babmco32.exe 3112 Bfoelf32.exe 884 Bmimhpoj.exe 4072 Bccfej32.exe 3088 Bfabaf32.exe 2548 Bmkjnp32.exe 4164 Bhqnki32.exe 4012 Bnkfhcdj.exe 4580 Bhckqh32.exe 3492 Cnmcnb32.exe 4832 Cegljmid.exe 2160 Cfhhbe32.exe 4544 Canlon32.exe 2708 Chhdlhfe.exe 4020 Cfkegd32.exe 944 Cmdmdo32.exe 2096 Celeel32.exe 4996 Chjaag32.exe 1560 Cenakl32.exe 4528 Cfonbdij.exe 2300 Dhokmgpm.exe 2956 Dagoel32.exe 3568 Dhagbfnj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkokfg32.exe Dfbcnpjb.exe File created C:\Windows\SysWOW64\Diamoh32.exe Dhqqhpjo.exe File opened for modification C:\Windows\SysWOW64\Phaakb32.exe Pagiohjn.exe File opened for modification C:\Windows\SysWOW64\Fbompdaj.exe Flddcj32.exe File created C:\Windows\SysWOW64\Inphpm32.dll Gpicjhjk.exe File created C:\Windows\SysWOW64\Napjgl32.exe Njfajagl.exe File created C:\Windows\SysWOW64\Nchaaf32.dll Cohbkhah.exe File created C:\Windows\SysWOW64\Eapijcmq.dll Bhckqh32.exe File created C:\Windows\SysWOW64\Jlinanno.dll Fobofmal.exe File created C:\Windows\SysWOW64\Oknqpk32.dll Eiaolpoo.exe File opened for modification C:\Windows\SysWOW64\Ncjmhhba.exe Nmpdkn32.exe File created C:\Windows\SysWOW64\Ehnkjjcm.dll Hmdcie32.exe File created C:\Windows\SysWOW64\Lmmcqn32.exe Lfckdcoe.exe File created C:\Windows\SysWOW64\Hdbmkaoo.exe Gnhdng32.exe File created C:\Windows\SysWOW64\Jefohnkf.dll Jjeffhbd.exe File opened for modification C:\Windows\SysWOW64\Flaacdhd.exe Ficegiip.exe File created C:\Windows\SysWOW64\Aoafcf32.dll Lcpjqe32.exe File created C:\Windows\SysWOW64\Dikanjoi.dll Omipgf32.exe File created C:\Windows\SysWOW64\Pdehgf32.dll Mimpagqp.exe File created C:\Windows\SysWOW64\Boflpoff.exe Bhlcce32.exe File created C:\Windows\SysWOW64\Jgclgm32.dll Alicbf32.exe File created C:\Windows\SysWOW64\Lpilmcdl.exe Lhadlfcj.exe File created C:\Windows\SysWOW64\Giienb32.exe Ghhhfjha.exe File created C:\Windows\SysWOW64\Kfjkql32.dll Dfjgdlka.exe File created C:\Windows\SysWOW64\Ckhpkk32.dll Gfaoab32.exe File created C:\Windows\SysWOW64\Gfjpjk32.dll Nmmqkgil.exe File opened for modification C:\Windows\SysWOW64\Hgghme32.exe Hpmpqkma.exe File created C:\Windows\SysWOW64\Kiejpd32.exe Kanbng32.exe File created C:\Windows\SysWOW64\Bcnepefp.exe Bobiof32.exe File created C:\Windows\SysWOW64\Pkmgcl32.dll Ohdldk32.exe File opened for modification C:\Windows\SysWOW64\Idbogi32.exe Ikijocgp.exe File created C:\Windows\SysWOW64\Hccikj32.dll Hgfaco32.exe File created C:\Windows\SysWOW64\Ojgloc32.exe Oghpbh32.exe File created C:\Windows\SysWOW64\Oopemeii.dll Ejofki32.exe File opened for modification C:\Windows\SysWOW64\Jjeffhbd.exe Jdhnnacl.exe File created C:\Windows\SysWOW64\Lnmkic32.exe Lknomh32.exe File opened for modification C:\Windows\SysWOW64\Glpmdb32.exe Giaahg32.exe File opened for modification C:\Windows\SysWOW64\Mpjlngje.exe Mgageace.exe File created C:\Windows\SysWOW64\Npokka32.dll Cmdmdo32.exe File opened for modification C:\Windows\SysWOW64\Lhogff32.exe Lfnkonpo.exe File created C:\Windows\SysWOW64\Jjjpah32.exe Jgkdel32.exe File created C:\Windows\SysWOW64\Kjepmfca.exe Kckgplld.exe File created C:\Windows\SysWOW64\Ccqcbo32.dll Dkahlg32.exe File created C:\Windows\SysWOW64\Fecbkafh.dll Jlgebm32.exe File created C:\Windows\SysWOW64\Jbpiab32.exe Joamef32.exe File created C:\Windows\SysWOW64\Bobiof32.exe Bjeago32.exe File created C:\Windows\SysWOW64\Gmafde32.exe Gifjcfik.exe File created C:\Windows\SysWOW64\Kljbhm32.exe Kepjkbpg.exe File opened for modification C:\Windows\SysWOW64\Ncdlbb32.exe Mnhdjk32.exe File created C:\Windows\SysWOW64\Mpkmin32.dll Kipqdeed.exe File opened for modification C:\Windows\SysWOW64\Flbhmk32.exe Fidlaoml.exe File created C:\Windows\SysWOW64\Eigekkcn.exe Ebmmnq32.exe File created C:\Windows\SysWOW64\Ilfiqjjp.dll Gobckmgb.exe File created C:\Windows\SysWOW64\Dgmegk32.dll Nehcgaoc.exe File opened for modification C:\Windows\SysWOW64\Napjgl32.exe Njfajagl.exe File created C:\Windows\SysWOW64\Jmohfdhg.dll Lnchcd32.exe File opened for modification C:\Windows\SysWOW64\Himqde32.exe Hbchgkkf.exe File created C:\Windows\SysWOW64\Bfchlopl.exe Bpippeho.exe File created C:\Windows\SysWOW64\Eiaolpoo.exe Ebggoe32.exe File created C:\Windows\SysWOW64\Cnbbgoal.dll Bfpdli32.exe File opened for modification C:\Windows\SysWOW64\Jkdcpkif.exe Jcmkonhd.exe File created C:\Windows\SysWOW64\Kckgplld.exe Kqmkdqmq.exe File created C:\Windows\SysWOW64\Bccfej32.exe Bmimhpoj.exe File created C:\Windows\SysWOW64\Jepgpmlo.dll Blqjcemj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6172 6196 WerFault.exe 1016 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfndd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfadnmcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepmfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdhmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmkonhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnfkoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpcfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgokpbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qleaamkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olknjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjeqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekpmepok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiildoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niabbpio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maqhkdqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfgcdfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpkkfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pocmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnkho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllbdmpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbanbbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahgdaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdhedco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnegg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeeabal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icmbhpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmgpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkccjik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nehcgaoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimeqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqchnbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdalpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidpkbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmhgphma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmnpjmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flddcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlafldcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohahdepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podcgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeainbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omipgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igiecebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maeafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjphjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfjdclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgijgaqf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mabmfnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fobofmal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hklehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkcmeboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oehlno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkmlh32.dll" Cmcoobme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cafngdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmkjnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hklehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgifpa32.dll" Fkihah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfdgmbfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmhgphma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljbfckmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpnakkm.dll" Kojkjhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmpnlle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lepdpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baknompj.dll" Dlbofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akgchm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fldnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhaebinp.dll" Mfqlin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eggmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emneojqi.dll" Gnhdng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifogm32.dll" Diclpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmfkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holgfcaf.dll" Mlhhnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhebd32.dll" Ecpmhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmkkpnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onjigh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odmgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgijgaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnaiamni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkgpgd32.dll" Nkghehkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqohip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eblcjm32.dll" Lkelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foojec32.dll" Bajokeji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbpdj32.dll" Mhijle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhecjmhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqpfmiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjjpah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlapgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hngndadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecnqcjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbpiab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqjphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqlfcb32.dll" Fdopdnlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oefohobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpicjhjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmlpf32.dll" Bkglojmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiajoeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlocihjb.dll" Beklnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnflcjlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgamappo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emgjjg32.dll" Mlkecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkmeknng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdooje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmdjmmgn.dll" Fnnqipij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbocgbco.dll" Lgcjgonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Domldpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmmhlla.dll" Daqblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mobbioeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqhcaooc.dll" Efopok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iainagdo.dll" Elnobkpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 3348 416 5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe 81 PID 416 wrote to memory of 3348 416 5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe 81 PID 416 wrote to memory of 3348 416 5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe 81 PID 3348 wrote to memory of 3536 3348 Lfckdcoe.exe 82 PID 3348 wrote to memory of 3536 3348 Lfckdcoe.exe 82 PID 3348 wrote to memory of 3536 3348 Lfckdcoe.exe 82 PID 3536 wrote to memory of 1264 3536 Lmmcqn32.exe 83 PID 3536 wrote to memory of 1264 3536 Lmmcqn32.exe 83 PID 3536 wrote to memory of 1264 3536 Lmmcqn32.exe 83 PID 1264 wrote to memory of 3288 1264 Ldjhcgll.exe 84 PID 1264 wrote to memory of 3288 1264 Ldjhcgll.exe 84 PID 1264 wrote to memory of 3288 1264 Ldjhcgll.exe 84 PID 3288 wrote to memory of 2972 3288 Llemgj32.exe 85 PID 3288 wrote to memory of 2972 3288 Llemgj32.exe 85 PID 3288 wrote to memory of 2972 3288 Llemgj32.exe 85 PID 2972 wrote to memory of 4520 2972 Mmdiamqj.exe 86 PID 2972 wrote to memory of 4520 2972 Mmdiamqj.exe 86 PID 2972 wrote to memory of 4520 2972 Mmdiamqj.exe 86 PID 4520 wrote to memory of 928 4520 Mepnfone.exe 87 PID 4520 wrote to memory of 928 4520 Mepnfone.exe 87 PID 4520 wrote to memory of 928 4520 Mepnfone.exe 87 PID 928 wrote to memory of 3416 928 Mgokpbeh.exe 88 PID 928 wrote to memory of 3416 928 Mgokpbeh.exe 88 PID 928 wrote to memory of 3416 928 Mgokpbeh.exe 88 PID 3416 wrote to memory of 4808 3416 Mgageace.exe 89 PID 3416 wrote to memory of 4808 3416 Mgageace.exe 89 PID 3416 wrote to memory of 4808 3416 Mgageace.exe 89 PID 4808 wrote to memory of 3052 4808 Mpjlngje.exe 90 PID 4808 wrote to memory of 3052 4808 Mpjlngje.exe 90 PID 4808 wrote to memory of 3052 4808 Mpjlngje.exe 90 PID 3052 wrote to memory of 1468 3052 Mnnlgkho.exe 91 PID 3052 wrote to memory of 1468 3052 Mnnlgkho.exe 91 PID 3052 wrote to memory of 1468 3052 Mnnlgkho.exe 91 PID 1468 wrote to memory of 2552 1468 Nidmml32.exe 92 PID 1468 wrote to memory of 2552 1468 Nidmml32.exe 92 PID 1468 wrote to memory of 2552 1468 Nidmml32.exe 92 PID 2552 wrote to memory of 1328 2552 Nghmfqmm.exe 93 PID 2552 wrote to memory of 1328 2552 Nghmfqmm.exe 93 PID 2552 wrote to memory of 1328 2552 Nghmfqmm.exe 93 PID 1328 wrote to memory of 2636 1328 Nconka32.exe 94 PID 1328 wrote to memory of 2636 1328 Nconka32.exe 94 PID 1328 wrote to memory of 2636 1328 Nconka32.exe 94 PID 2636 wrote to memory of 2384 2636 Njifhljn.exe 95 PID 2636 wrote to memory of 2384 2636 Njifhljn.exe 95 PID 2636 wrote to memory of 2384 2636 Njifhljn.exe 95 PID 2384 wrote to memory of 396 2384 Njlcmk32.exe 96 PID 2384 wrote to memory of 396 2384 Njlcmk32.exe 96 PID 2384 wrote to memory of 396 2384 Njlcmk32.exe 96 PID 396 wrote to memory of 3424 396 Njnpck32.exe 97 PID 396 wrote to memory of 3424 396 Njnpck32.exe 97 PID 396 wrote to memory of 3424 396 Njnpck32.exe 97 PID 3424 wrote to memory of 700 3424 Ojplhkdf.exe 98 PID 3424 wrote to memory of 700 3424 Ojplhkdf.exe 98 PID 3424 wrote to memory of 700 3424 Ojplhkdf.exe 98 PID 700 wrote to memory of 1792 700 Ojbinjbc.exe 99 PID 700 wrote to memory of 1792 700 Ojbinjbc.exe 99 PID 700 wrote to memory of 1792 700 Ojbinjbc.exe 99 PID 1792 wrote to memory of 4240 1792 Ogfjgo32.exe 100 PID 1792 wrote to memory of 4240 1792 Ogfjgo32.exe 100 PID 1792 wrote to memory of 4240 1792 Ogfjgo32.exe 100 PID 4240 wrote to memory of 1472 4240 Ocmjlpfa.exe 101 PID 4240 wrote to memory of 1472 4240 Ocmjlpfa.exe 101 PID 4240 wrote to memory of 1472 4240 Ocmjlpfa.exe 101 PID 1472 wrote to memory of 4176 1472 Odmgfb32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe"C:\Users\Admin\AppData\Local\Temp\5b139f69baa56815497d825a0d3438e6492467c5a86be7c01791f1d114a2a87aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Lfckdcoe.exeC:\Windows\system32\Lfckdcoe.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Lmmcqn32.exeC:\Windows\system32\Lmmcqn32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Ldjhcgll.exeC:\Windows\system32\Ldjhcgll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Mmdiamqj.exeC:\Windows\system32\Mmdiamqj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Mgokpbeh.exeC:\Windows\system32\Mgokpbeh.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Mpjlngje.exeC:\Windows\system32\Mpjlngje.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Mnnlgkho.exeC:\Windows\system32\Mnnlgkho.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Nidmml32.exeC:\Windows\system32\Nidmml32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Nconka32.exeC:\Windows\system32\Nconka32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Ojplhkdf.exeC:\Windows\system32\Ojplhkdf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\Odmgfb32.exeC:\Windows\system32\Odmgfb32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe23⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe24⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pfcmij32.exeC:\Windows\system32\Pfcmij32.exe25⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Pnlapgnl.exeC:\Windows\system32\Pnlapgnl.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Windows\SysWOW64\Pggbnlbj.exeC:\Windows\system32\Pggbnlbj.exe28⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe29⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe30⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe31⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe32⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe33⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Acgfil32.exeC:\Windows\system32\Acgfil32.exe34⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe35⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe36⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe37⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe38⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe39⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe40⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Beklnn32.exeC:\Windows\system32\Beklnn32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Bjhdgeai.exeC:\Windows\system32\Bjhdgeai.exe42⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Babmco32.exeC:\Windows\system32\Babmco32.exe43⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe44⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe46⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Bfabaf32.exeC:\Windows\system32\Bfabaf32.exe47⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Bmkjnp32.exeC:\Windows\system32\Bmkjnp32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Bhqnki32.exeC:\Windows\system32\Bhqnki32.exe49⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Bnkfhcdj.exeC:\Windows\system32\Bnkfhcdj.exe50⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4580 -
C:\Windows\SysWOW64\Cnmcnb32.exeC:\Windows\system32\Cnmcnb32.exe52⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe53⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe54⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe55⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Chhdlhfe.exeC:\Windows\system32\Chhdlhfe.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cfkegd32.exeC:\Windows\system32\Cfkegd32.exe57⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Celeel32.exeC:\Windows\system32\Celeel32.exe59⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Chjaag32.exeC:\Windows\system32\Chjaag32.exe60⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Cenakl32.exeC:\Windows\system32\Cenakl32.exe61⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Cfonbdij.exeC:\Windows\system32\Cfonbdij.exe62⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Dhokmgpm.exeC:\Windows\system32\Dhokmgpm.exe63⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Dagoel32.exeC:\Windows\system32\Dagoel32.exe64⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dhagbfnj.exeC:\Windows\system32\Dhagbfnj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Dmnpjmla.exeC:\Windows\system32\Dmnpjmla.exe66⤵
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\Ddhhggdo.exeC:\Windows\system32\Ddhhggdo.exe67⤵PID:1556
-
C:\Windows\SysWOW64\Domldpcd.exeC:\Windows\system32\Domldpcd.exe68⤵
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Degdaj32.exeC:\Windows\system32\Degdaj32.exe69⤵PID:4908
-
C:\Windows\SysWOW64\Dfiaibap.exeC:\Windows\system32\Dfiaibap.exe70⤵PID:4328
-
C:\Windows\SysWOW64\Dmbiem32.exeC:\Windows\system32\Dmbiem32.exe71⤵PID:1484
-
C:\Windows\SysWOW64\Ddmabgpi.exeC:\Windows\system32\Ddmabgpi.exe72⤵PID:4492
-
C:\Windows\SysWOW64\Dkfjoagf.exeC:\Windows\system32\Dkfjoagf.exe73⤵PID:2208
-
C:\Windows\SysWOW64\Daqblk32.exeC:\Windows\system32\Daqblk32.exe74⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Egmjdb32.exeC:\Windows\system32\Egmjdb32.exe75⤵PID:2324
-
C:\Windows\SysWOW64\Emgbqldg.exeC:\Windows\system32\Emgbqldg.exe76⤵PID:4280
-
C:\Windows\SysWOW64\Ehmgne32.exeC:\Windows\system32\Ehmgne32.exe77⤵PID:2840
-
C:\Windows\SysWOW64\Eaekgjjn.exeC:\Windows\system32\Eaekgjjn.exe78⤵PID:4004
-
C:\Windows\SysWOW64\Egbdoaie.exeC:\Windows\system32\Egbdoaie.exe79⤵PID:5044
-
C:\Windows\SysWOW64\Eknppp32.exeC:\Windows\system32\Eknppp32.exe80⤵PID:3952
-
C:\Windows\SysWOW64\Edfdhego.exeC:\Windows\system32\Edfdhego.exe81⤵PID:2680
-
C:\Windows\SysWOW64\Ekpmepok.exeC:\Windows\system32\Ekpmepok.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\Eajebj32.exeC:\Windows\system32\Eajebj32.exe83⤵PID:4268
-
C:\Windows\SysWOW64\Eggmjq32.exeC:\Windows\system32\Eggmjq32.exe84⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Eonekn32.exeC:\Windows\system32\Eonekn32.exe85⤵PID:4036
-
C:\Windows\SysWOW64\Eehnhhmo.exeC:\Windows\system32\Eehnhhmo.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Fhfjdclb.exeC:\Windows\system32\Fhfjdclb.exe87⤵
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\Faonmibc.exeC:\Windows\system32\Faonmibc.exe88⤵PID:764
-
C:\Windows\SysWOW64\Fdmjidaf.exeC:\Windows\system32\Fdmjidaf.exe89⤵PID:3240
-
C:\Windows\SysWOW64\Fgkgepqj.exeC:\Windows\system32\Fgkgepqj.exe90⤵PID:4116
-
C:\Windows\SysWOW64\Fobofmal.exeC:\Windows\system32\Fobofmal.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:420 -
C:\Windows\SysWOW64\Femgcg32.exeC:\Windows\system32\Femgcg32.exe92⤵PID:2076
-
C:\Windows\SysWOW64\Fkiokn32.exeC:\Windows\system32\Fkiokn32.exe93⤵PID:960
-
C:\Windows\SysWOW64\Foeklmoj.exeC:\Windows\system32\Foeklmoj.exe94⤵PID:1816
-
C:\Windows\SysWOW64\Fhmpebfj.exeC:\Windows\system32\Fhmpebfj.exe95⤵PID:1532
-
C:\Windows\SysWOW64\Fogham32.exeC:\Windows\system32\Fogham32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\Foiegl32.exeC:\Windows\system32\Foiegl32.exe97⤵PID:3056
-
C:\Windows\SysWOW64\Gkpelm32.exeC:\Windows\system32\Gkpelm32.exe98⤵PID:4576
-
C:\Windows\SysWOW64\Gajnighe.exeC:\Windows\system32\Gajnighe.exe99⤵PID:3016
-
C:\Windows\SysWOW64\Gdijecgi.exeC:\Windows\system32\Gdijecgi.exe100⤵PID:2252
-
C:\Windows\SysWOW64\Gkbbam32.exeC:\Windows\system32\Gkbbam32.exe101⤵PID:2432
-
C:\Windows\SysWOW64\Gamjngfc.exeC:\Windows\system32\Gamjngfc.exe102⤵PID:1764
-
C:\Windows\SysWOW64\Ghfbkanp.exeC:\Windows\system32\Ghfbkanp.exe103⤵PID:4596
-
C:\Windows\SysWOW64\Goqkhk32.exeC:\Windows\system32\Goqkhk32.exe104⤵PID:4824
-
C:\Windows\SysWOW64\Gaogdg32.exeC:\Windows\system32\Gaogdg32.exe105⤵PID:5160
-
C:\Windows\SysWOW64\Ghioqqlm.exeC:\Windows\system32\Ghioqqlm.exe106⤵PID:5208
-
C:\Windows\SysWOW64\Gaadif32.exeC:\Windows\system32\Gaadif32.exe107⤵PID:5252
-
C:\Windows\SysWOW64\Gfmpjejf.exeC:\Windows\system32\Gfmpjejf.exe108⤵PID:5296
-
C:\Windows\SysWOW64\Gkjhbl32.exeC:\Windows\system32\Gkjhbl32.exe109⤵PID:5340
-
C:\Windows\SysWOW64\Gnhdng32.exeC:\Windows\system32\Gnhdng32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5384 -
C:\Windows\SysWOW64\Hdbmkaoo.exeC:\Windows\system32\Hdbmkaoo.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Hklehl32.exeC:\Windows\system32\Hklehl32.exe112⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Hohahjod.exeC:\Windows\system32\Hohahjod.exe113⤵PID:5516
-
C:\Windows\SysWOW64\Hfaied32.exeC:\Windows\system32\Hfaied32.exe114⤵PID:5560
-
C:\Windows\SysWOW64\Hgcfmm32.exeC:\Windows\system32\Hgcfmm32.exe115⤵PID:5604
-
C:\Windows\SysWOW64\Hbhjje32.exeC:\Windows\system32\Hbhjje32.exe116⤵PID:5648
-
C:\Windows\SysWOW64\Hgebbl32.exeC:\Windows\system32\Hgebbl32.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Holjci32.exeC:\Windows\system32\Holjci32.exe118⤵PID:5736
-
C:\Windows\SysWOW64\Hffbpcbl.exeC:\Windows\system32\Hffbpcbl.exe119⤵PID:5780
-
C:\Windows\SysWOW64\Hhdoloap.exeC:\Windows\system32\Hhdoloap.exe120⤵PID:5820
-
C:\Windows\SysWOW64\Hoogiiil.exeC:\Windows\system32\Hoogiiil.exe121⤵PID:5864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-