Analysis
-
max time kernel
93s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 13:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe
-
Size
91KB
-
MD5
0ee55ea7312860462d90ee20e2f4dce0
-
SHA1
4dd92dabe53437d0d452ef1b97d1ac264bb38f49
-
SHA256
e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887
-
SHA512
b81da0e46c5dd73973f2d9ef9937f941b3734a0c5703aee255c2a8c7ab47c86d3b979e9ad4fcb246d4ace02c98ea67c03450f71b14ac4d46ef1cedf4652bccf6
-
SSDEEP
1536:SwIDwL3HKBGxyMlvTjZsZNb4NLXbO/s0mjI1XNQ:SjULKYv5s8O/zlXNQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnmbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojnko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeboaob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkikq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcfmkff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmcbime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indfca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlmgopjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipbdikp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fielph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeebnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkckeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkpdcmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohnonij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epagkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efkphnbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppbkgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogklelna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieliebnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbolp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecphp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooagno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmcdffmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdaodja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmefhako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eachem32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4412 Cfmajipb.exe 4304 Cndikf32.exe 4824 Cabfga32.exe 2956 Cenahpha.exe 4736 Cdabcm32.exe 1892 Cjkjpgfi.exe 4528 Cmiflbel.exe 212 Ceqnmpfo.exe 1036 Chokikeb.exe 5004 Cjmgfgdf.exe 2620 Cmlcbbcj.exe 2484 Ceckcp32.exe 3612 Chagok32.exe 3904 Cmnpgb32.exe 3648 Cdhhdlid.exe 1156 Cffdpghg.exe 736 Cmqmma32.exe 4452 Cegdnopg.exe 3336 Dfiafg32.exe 3568 Dmcibama.exe 3912 Dejacond.exe 3184 Dfknkg32.exe 3268 Dmefhako.exe 1612 Ddonekbl.exe 3220 Dhkjej32.exe 4344 Dkifae32.exe 1808 Daconoae.exe 5084 Ddakjkqi.exe 532 Dkkcge32.exe 3548 Egdqae32.exe 1180 Emoinpcd.exe 4724 Eajeon32.exe 4972 Ehdmlhcj.exe 4472 Ekbihd32.exe 4968 Emaedo32.exe 1988 Eehnem32.exe 1448 Edknqiho.exe 1444 Edmjfifl.exe 2716 Eglgbdep.exe 3452 Eobocb32.exe 3624 Eaakpm32.exe 752 Edpgli32.exe 760 Ehkclgmb.exe 2440 Eoekia32.exe 2092 Eachem32.exe 1440 Fgppmd32.exe 5076 Fnjhjn32.exe 116 Fafdkmap.exe 3840 Fhpmgg32.exe 1152 Fojedapj.exe 3264 Fedmqk32.exe 4572 Fhbimf32.exe 3772 Fkqeib32.exe 3744 Fnobem32.exe 1556 Fhdfbfdh.exe 60 Fnaokmco.exe 2264 Fdkggg32.exe 2908 Fgjccb32.exe 3168 Fkeodaai.exe 4900 Fnckpmql.exe 2520 Gaogak32.exe 1816 Gdncmghi.exe 3524 Gochjpho.exe 3204 Gaadfkgc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mimpolee.exe Lfodbqfa.exe File created C:\Windows\SysWOW64\Jnhpoamf.exe Jhlgfj32.exe File created C:\Windows\SysWOW64\Jbfadafe.dll Gfkbde32.exe File created C:\Windows\SysWOW64\Dpaagldf.dll Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Emoinpcd.exe Egdqae32.exe File opened for modification C:\Windows\SysWOW64\Jiokfpph.exe Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Jmbhoeid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kldmckic.exe Jghabl32.exe File created C:\Windows\SysWOW64\Efdjgo32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Hncfnebg.dll Gpcmga32.exe File created C:\Windows\SysWOW64\Gmdcfidg.exe Gemkelcd.exe File created C:\Windows\SysWOW64\Dohjem32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lqojclne.exe Process not Found File created C:\Windows\SysWOW64\Empoiimf.exe Ejbbmnnb.exe File created C:\Windows\SysWOW64\Oldamm32.exe Oifeab32.exe File created C:\Windows\SysWOW64\Lkalplel.exe Lgepom32.exe File created C:\Windows\SysWOW64\Ngjbaj32.exe Nelfeo32.exe File created C:\Windows\SysWOW64\Cdpjlb32.exe Cfnjpfcl.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe Process not Found File created C:\Windows\SysWOW64\Mcnggo32.dll Gaopfe32.exe File opened for modification C:\Windows\SysWOW64\Icdheded.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Miongake.dll Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Hipmfjee.exe Process not Found File created C:\Windows\SysWOW64\Dafmjm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnkbkk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jdnoplhh.exe Indfca32.exe File opened for modification C:\Windows\SysWOW64\Jmeede32.exe Process not Found File created C:\Windows\SysWOW64\Mgnlkfal.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Process not Found File created C:\Windows\SysWOW64\Pocfpf32.exe Plejdkmm.exe File opened for modification C:\Windows\SysWOW64\Aojlaeei.exe Allpejfe.exe File opened for modification C:\Windows\SysWOW64\Mfnoqc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe Cdhhdlid.exe File created C:\Windows\SysWOW64\Hmlfpb32.dll Lhdqnj32.exe File created C:\Windows\SysWOW64\Ddhmmpnk.dll Mjellmbp.exe File created C:\Windows\SysWOW64\Lnnlhc32.dll Gmdjapgb.exe File created C:\Windows\SysWOW64\Fmhdkknd.exe Fimhjl32.exe File opened for modification C:\Windows\SysWOW64\Ljilqnlm.exe Lgkpdcmi.exe File created C:\Windows\SysWOW64\Cggkemhh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hfningai.exe Hbbmmi32.exe File created C:\Windows\SysWOW64\Okjodami.dll Bjaqpbkh.exe File opened for modification C:\Windows\SysWOW64\Hgelek32.exe Gdfoio32.exe File opened for modification C:\Windows\SysWOW64\Ihgnkkbd.exe Iqpfjnba.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Opogbbig.exe Ohgoaehe.exe File created C:\Windows\SysWOW64\Obncjbkf.dll Ghpocngo.exe File created C:\Windows\SysWOW64\Dnqjcbao.dll Lgkpdcmi.exe File opened for modification C:\Windows\SysWOW64\Cjliajmo.exe Cbeapmll.exe File created C:\Windows\SysWOW64\Gmfmgg32.dll Kdkdgchl.exe File opened for modification C:\Windows\SysWOW64\Aafemk32.exe Aogiap32.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Process not Found File created C:\Windows\SysWOW64\Oqpakfgb.dll Abponp32.exe File created C:\Windows\SysWOW64\Cabfga32.exe Cndikf32.exe File opened for modification C:\Windows\SysWOW64\Kjffdalb.exe Kiejmi32.exe File created C:\Windows\SysWOW64\Hmokmkpo.dll Knchpiom.exe File created C:\Windows\SysWOW64\Gejlkojm.dll Bhldpj32.exe File created C:\Windows\SysWOW64\Maiccajf.exe Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Mchppmij.exe Maiccajf.exe File opened for modification C:\Windows\SysWOW64\Gpnmbl32.exe Fmpqfq32.exe File created C:\Windows\SysWOW64\Nqdmimbf.dll Process not Found File created C:\Windows\SysWOW64\Loighj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npiiffqe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cjkjpgfi.exe File created C:\Windows\SysWOW64\Leckbi32.dll Qlmgopjq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 20796 20668 Process not Found 1425 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojedapj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emlenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmeapmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjnifbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhfkopc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfcdojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknmla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahilmoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lankbigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgnemjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohgoaehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdbkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkcogno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnkonbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnegggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hninbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkpmdbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkaqnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmhmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhlgmmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhihdcbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckclhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgfce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfdmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acokhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfnmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplpla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcalieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihbi32.dll" Jhijqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhlkilba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkohq32.dll" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbhgf32.dll" Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjenbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nognnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejoaandc.dll" Aekddhcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenahpha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inbqhhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqnnno32.dll" Kgjgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdgc32.dll" Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaflgago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbnpcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkdcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haedpe32.dll" Hacbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dodjjimm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgbfhmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akccap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbefdijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljbfpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injmcmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgqjbf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdomhkp.dll" Afnnnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjpfdin.dll" Ikaggmii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcbpne32.dll" Mhdckaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmkhgho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejocggj.dll" Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niooqcad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjnccp.dll" Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnlinml.dll" Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebimgcfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 4412 4048 e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe 86 PID 4048 wrote to memory of 4412 4048 e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe 86 PID 4048 wrote to memory of 4412 4048 e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe 86 PID 4412 wrote to memory of 4304 4412 Cfmajipb.exe 87 PID 4412 wrote to memory of 4304 4412 Cfmajipb.exe 87 PID 4412 wrote to memory of 4304 4412 Cfmajipb.exe 87 PID 4304 wrote to memory of 4824 4304 Cndikf32.exe 88 PID 4304 wrote to memory of 4824 4304 Cndikf32.exe 88 PID 4304 wrote to memory of 4824 4304 Cndikf32.exe 88 PID 4824 wrote to memory of 2956 4824 Cabfga32.exe 89 PID 4824 wrote to memory of 2956 4824 Cabfga32.exe 89 PID 4824 wrote to memory of 2956 4824 Cabfga32.exe 89 PID 2956 wrote to memory of 4736 2956 Cenahpha.exe 90 PID 2956 wrote to memory of 4736 2956 Cenahpha.exe 90 PID 2956 wrote to memory of 4736 2956 Cenahpha.exe 90 PID 4736 wrote to memory of 1892 4736 Cdabcm32.exe 91 PID 4736 wrote to memory of 1892 4736 Cdabcm32.exe 91 PID 4736 wrote to memory of 1892 4736 Cdabcm32.exe 91 PID 1892 wrote to memory of 4528 1892 Cjkjpgfi.exe 92 PID 1892 wrote to memory of 4528 1892 Cjkjpgfi.exe 92 PID 1892 wrote to memory of 4528 1892 Cjkjpgfi.exe 92 PID 4528 wrote to memory of 212 4528 Cmiflbel.exe 93 PID 4528 wrote to memory of 212 4528 Cmiflbel.exe 93 PID 4528 wrote to memory of 212 4528 Cmiflbel.exe 93 PID 212 wrote to memory of 1036 212 Ceqnmpfo.exe 95 PID 212 wrote to memory of 1036 212 Ceqnmpfo.exe 95 PID 212 wrote to memory of 1036 212 Ceqnmpfo.exe 95 PID 1036 wrote to memory of 5004 1036 Chokikeb.exe 96 PID 1036 wrote to memory of 5004 1036 Chokikeb.exe 96 PID 1036 wrote to memory of 5004 1036 Chokikeb.exe 96 PID 5004 wrote to memory of 2620 5004 Cjmgfgdf.exe 97 PID 5004 wrote to memory of 2620 5004 Cjmgfgdf.exe 97 PID 5004 wrote to memory of 2620 5004 Cjmgfgdf.exe 97 PID 2620 wrote to memory of 2484 2620 Cmlcbbcj.exe 98 PID 2620 wrote to memory of 2484 2620 Cmlcbbcj.exe 98 PID 2620 wrote to memory of 2484 2620 Cmlcbbcj.exe 98 PID 2484 wrote to memory of 3612 2484 Ceckcp32.exe 99 PID 2484 wrote to memory of 3612 2484 Ceckcp32.exe 99 PID 2484 wrote to memory of 3612 2484 Ceckcp32.exe 99 PID 3612 wrote to memory of 3904 3612 Chagok32.exe 100 PID 3612 wrote to memory of 3904 3612 Chagok32.exe 100 PID 3612 wrote to memory of 3904 3612 Chagok32.exe 100 PID 3904 wrote to memory of 3648 3904 Cmnpgb32.exe 101 PID 3904 wrote to memory of 3648 3904 Cmnpgb32.exe 101 PID 3904 wrote to memory of 3648 3904 Cmnpgb32.exe 101 PID 3648 wrote to memory of 1156 3648 Cdhhdlid.exe 102 PID 3648 wrote to memory of 1156 3648 Cdhhdlid.exe 102 PID 3648 wrote to memory of 1156 3648 Cdhhdlid.exe 102 PID 1156 wrote to memory of 736 1156 Cffdpghg.exe 103 PID 1156 wrote to memory of 736 1156 Cffdpghg.exe 103 PID 1156 wrote to memory of 736 1156 Cffdpghg.exe 103 PID 736 wrote to memory of 4452 736 Cmqmma32.exe 104 PID 736 wrote to memory of 4452 736 Cmqmma32.exe 104 PID 736 wrote to memory of 4452 736 Cmqmma32.exe 104 PID 4452 wrote to memory of 3336 4452 Cegdnopg.exe 105 PID 4452 wrote to memory of 3336 4452 Cegdnopg.exe 105 PID 4452 wrote to memory of 3336 4452 Cegdnopg.exe 105 PID 3336 wrote to memory of 3568 3336 Dfiafg32.exe 106 PID 3336 wrote to memory of 3568 3336 Dfiafg32.exe 106 PID 3336 wrote to memory of 3568 3336 Dfiafg32.exe 106 PID 3568 wrote to memory of 3912 3568 Dmcibama.exe 107 PID 3568 wrote to memory of 3912 3568 Dmcibama.exe 107 PID 3568 wrote to memory of 3912 3568 Dmcibama.exe 107 PID 3912 wrote to memory of 3184 3912 Dejacond.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe"C:\Users\Admin\AppData\Local\Temp\e0f2baa3102bfbbed90e6f525474d418280ad1e75112316be922e4acebe87887.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe23⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe25⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe27⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe28⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe29⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Emoinpcd.exeC:\Windows\system32\Emoinpcd.exe32⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe33⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe34⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe35⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Emaedo32.exeC:\Windows\system32\Emaedo32.exe36⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe37⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Edknqiho.exeC:\Windows\system32\Edknqiho.exe38⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe39⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe40⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe41⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe42⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe44⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe45⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe47⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe48⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe49⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe50⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe52⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe53⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe54⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe55⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe56⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe57⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe58⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe59⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe60⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe61⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Gaogak32.exeC:\Windows\system32\Gaogak32.exe62⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Gochjpho.exeC:\Windows\system32\Gochjpho.exe64⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe65⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe66⤵PID:4960
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe67⤵PID:3404
-
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe68⤵PID:4480
-
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1708 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe70⤵PID:3304
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe71⤵PID:1900
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe72⤵PID:4348
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe73⤵PID:1412
-
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe74⤵PID:3756
-
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe75⤵PID:1496
-
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4024 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe77⤵PID:528
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe78⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3288 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe80⤵PID:1188
-
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe81⤵PID:3580
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe82⤵PID:2100
-
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe83⤵PID:2208
-
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe86⤵PID:3156
-
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe87⤵PID:5116
-
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe88⤵PID:2412
-
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe89⤵PID:1488
-
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe90⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe91⤵PID:3724
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe92⤵PID:5132
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe93⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe94⤵PID:5228
-
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe96⤵PID:5336
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe97⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe98⤵PID:5424
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe99⤵PID:5468
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe100⤵PID:5512
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe101⤵PID:5556
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe102⤵PID:5600
-
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe103⤵PID:5644
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe104⤵PID:5688
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe105⤵PID:5732
-
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe106⤵PID:5776
-
C:\Windows\SysWOW64\Ifdonfka.exeC:\Windows\system32\Ifdonfka.exe107⤵PID:5820
-
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe108⤵PID:5864
-
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe109⤵
- Modifies registry class
PID:5908 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe110⤵PID:5952
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe111⤵PID:5996
-
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe112⤵PID:6040
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe113⤵PID:6084
-
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe115⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe116⤵PID:5224
-
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Igjeanmj.exeC:\Windows\system32\Igjeanmj.exe118⤵PID:5396
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe119⤵PID:5460
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe120⤵PID:5524
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe121⤵PID:5580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-