Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe
Resource
win7-20250207-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe
-
Size
1.9MB
-
MD5
7bc543f8b41ac7ea9e831a5c9d92dad5
-
SHA1
c50b340176c74448a06b31b2878d9c03dad7b0b5
-
SHA256
e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e
-
SHA512
d3dd664a5e0865aff311e65b081a9bffc9eb50dc3f17b714838879c4f7036031d06b2c2ff3a5e861987e78461633cc1a93c4b60bd8f415e60d27c509c1756047
-
SSDEEP
24576:NNIVyeNIVy2jUfzKNIVyeNIVy2jUK7NIVyeNIVy2jUfzKNIVyeNIVy2jUO:IyjQxyjEyjQxyjH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojibgkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgopnbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqhcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipldpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkddmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogkhjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjfgealk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgofmjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmdabfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlhcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfdgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfilkbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfhob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpdkabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdcamko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdanjaqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpkpbpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhhmebd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelpcgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafcadej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhfaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogfkpih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iandjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeblb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jigdoglm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkckoe32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4852 Cnndbecl.exe 4532 Djeegf32.exe 3036 Dqomdppm.exe 3916 Eonmkkmj.exe 1280 Eqmjen32.exe 2332 Ecblbi32.exe 2492 Fnhppa32.exe 3596 Fgqehgco.exe 5104 Fnjmea32.exe 1528 Fcgemhic.exe 1404 Fjanjb32.exe 2476 Fmpjfn32.exe 1176 Fpnfbi32.exe 4368 Fgencf32.exe 4440 Fnofpqff.exe 2672 Fanbll32.exe 2196 Fclohg32.exe 3816 Fjfgealk.exe 4628 Fmdcamko.exe 920 Fpbpmhjb.exe 4644 Ggjgofkd.exe 3440 Gjhdkajh.exe 4572 Gmfpgmil.exe 2016 Gpelchhp.exe 1444 Gfodpbpl.exe 1852 Gnfmapqo.exe 3704 Gadimkpb.exe 2508 Gcceifof.exe 5044 Gfaaebnj.exe 2164 Ghanoeel.exe 4056 Gjojkpdp.exe 2728 Gmnfglcd.exe 1700 Gplbcgbg.exe 668 Ghcjedcj.exe 2764 Gjagapbn.exe 1096 Gmpcmkaa.exe 2084 Hcjkje32.exe 3196 Hfhgfaha.exe 1560 Hnpognhd.exe 2216 Hanlcjgh.exe 3552 Hdlhoefk.exe 3116 Hjfplo32.exe 4300 Hmdlhk32.exe 3812 Hdodeedi.exe 2504 Hfmqapcl.exe 1536 Hndibn32.exe 4468 Hpeejfjm.exe 1984 Hhmmkcko.exe 660 Hjkigojc.exe 3952 Hmifcjif.exe 3600 Hdcnpd32.exe 4072 Hfajlp32.exe 1780 Hoibmmpi.exe 5152 Hagnihom.exe 5192 Ihagfb32.exe 5232 Ijpcbn32.exe 5272 Imnoni32.exe 5312 Iplkje32.exe 5352 Iffcgoka.exe 5392 Ionlhlld.exe 5432 Ipohpdbb.exe 5472 Ihfpabbd.exe 5512 Ikdlmmbh.exe 5552 Iandjg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bafnmnjn.exe Blieeglf.exe File created C:\Windows\SysWOW64\Cdnmphag.exe Cbpacmbc.exe File opened for modification C:\Windows\SysWOW64\Iioicn32.exe Ifplgc32.exe File created C:\Windows\SysWOW64\Gdacoimi.dll Ijlkqj32.exe File created C:\Windows\SysWOW64\Gpmdim32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ljjpgh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nfaicg32.exe Process not Found File created C:\Windows\SysWOW64\Cmccpmdn.dll Process not Found File created C:\Windows\SysWOW64\Gdadcp32.dll Pblhalfm.exe File opened for modification C:\Windows\SysWOW64\Jdkkjl32.exe Innfgb32.exe File created C:\Windows\SysWOW64\Peokkbao.exe Podcnh32.exe File created C:\Windows\SysWOW64\Pamgnckh.dll Dqomdppm.exe File created C:\Windows\SysWOW64\Omhicj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Defadfql.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ckjpdm32.exe Process not Found File created C:\Windows\SysWOW64\Ifiachpe.exe Process not Found File created C:\Windows\SysWOW64\Jplcocfn.dll Mchhamcl.exe File created C:\Windows\SysWOW64\Cleeafbi.exe Cdnmphag.exe File created C:\Windows\SysWOW64\Mcnjga32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pnakld32.exe Process not Found File created C:\Windows\SysWOW64\Bnmmdjpf.exe Process not Found File created C:\Windows\SysWOW64\Fnhppa32.exe Ecblbi32.exe File created C:\Windows\SysWOW64\Goconkah.exe Goabhl32.exe File created C:\Windows\SysWOW64\Llelkhhc.dll Hodgei32.exe File created C:\Windows\SysWOW64\Ndlalabo.dll Mingbhon.exe File opened for modification C:\Windows\SysWOW64\Hdehho32.exe Hkmdoi32.exe File created C:\Windows\SysWOW64\Edakbbdl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ndfqlnno.exe Nphhfp32.exe File opened for modification C:\Windows\SysWOW64\Ocamcc32.exe Opcqgh32.exe File opened for modification C:\Windows\SysWOW64\Mfnhpblk.exe Process not Found File created C:\Windows\SysWOW64\Ihmaepdd.dll Process not Found File created C:\Windows\SysWOW64\Kaonaekb.exe Jkeedk32.exe File created C:\Windows\SysWOW64\Ajphagha.exe Qnihlf32.exe File created C:\Windows\SysWOW64\Hnmake32.dll Epmmjnkp.exe File created C:\Windows\SysWOW64\Lemhnn32.exe Process not Found File created C:\Windows\SysWOW64\Jiokkimm.exe Process not Found File created C:\Windows\SysWOW64\Cldgmgml.exe Balfko32.exe File opened for modification C:\Windows\SysWOW64\Ooehkimb.exe Process not Found File created C:\Windows\SysWOW64\Pnakld32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jgdphm32.exe Jdfcla32.exe File created C:\Windows\SysWOW64\Flkemj32.dll Cocamaam.exe File opened for modification C:\Windows\SysWOW64\Ioikon32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Epkeaopb.exe Process not Found File created C:\Windows\SysWOW64\Khbfkeja.dll Process not Found File created C:\Windows\SysWOW64\Qlhnng32.exe Qgkeep32.exe File opened for modification C:\Windows\SysWOW64\Ljfodd32.exe Liecmlno.exe File opened for modification C:\Windows\SysWOW64\Fdlcehhn.exe Embkhn32.exe File created C:\Windows\SysWOW64\Ppmammbl.dll Kjccna32.exe File created C:\Windows\SysWOW64\Mdpaai32.exe Process not Found File created C:\Windows\SysWOW64\Hkhpnmmj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mjhlifpp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lfeaegdi.exe Lbjeei32.exe File created C:\Windows\SysWOW64\Fdnipbbo.exe Fbomfokl.exe File opened for modification C:\Windows\SysWOW64\Icalij32.exe Inecac32.exe File created C:\Windows\SysWOW64\Fmiajm32.dll Ohggah32.exe File created C:\Windows\SysWOW64\Jjihpgcl.exe Process not Found File created C:\Windows\SysWOW64\Qjhaok32.dll Process not Found File created C:\Windows\SysWOW64\Nmpkkpfi.exe Process not Found File created C:\Windows\SysWOW64\Cmgjpi32.exe Capikhgh.exe File opened for modification C:\Windows\SysWOW64\Fmgecn32.exe Ffmmgceo.exe File created C:\Windows\SysWOW64\Dbfpoddf.dll Fifhmi32.exe File created C:\Windows\SysWOW64\Amhlpb32.exe Alfpijll.exe File created C:\Windows\SysWOW64\Jhfqdddd.dll Process not Found File created C:\Windows\SysWOW64\Ceihffad.exe Bnppim32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9100 6996 Process not Found 1813 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojndd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejebdig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcjqcnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmlphfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeaegdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgghdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiidnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdoae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhihnihm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqhcno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjehbaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodaikfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjcgdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlciobhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Molefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkkjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohjebkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbghpinc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjccna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajoapdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocamaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalakeme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdeinhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqklhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhahiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihkila32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocamk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balfko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldleoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihkjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjadck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepcqnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlhnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pklkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiaqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjbpmn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfodpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iioicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdifhkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbcphph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdmedg.dll" Modgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebieom.dll" Oghgbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eedkniob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beeokgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jalakeme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nimbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnqfekhi.dll" Fpfppl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eekanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeelcmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnbpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjdclhp.dll" Hhmmkcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmjmqjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jccfhp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgqiiph.dll" Ipohpdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpjfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pagbklae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgakgm32.dll" Hcpjpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajckbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcehaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooeol32.dll" Lkldlgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnlkllcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjggaooi.dll" Jilnjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdlpjicj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onglec32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oioldk32.dll" Fkopgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glcelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkpbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmmekboo.dll" Jcmdkbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnekgij.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbqnqnmn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoieg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhmfba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhqicgm.dll" Jmlkpgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnpcjplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgaeio32.dll" Nccqbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinbhb32.dll" Gdglfqjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafnmnjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodphf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfcdcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipmlo32.dll" Ngnnbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocnampdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfphjcf.dll" Qfhdnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apcemh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 4852 1976 e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe 86 PID 1976 wrote to memory of 4852 1976 e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe 86 PID 1976 wrote to memory of 4852 1976 e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe 86 PID 4852 wrote to memory of 4532 4852 Cnndbecl.exe 87 PID 4852 wrote to memory of 4532 4852 Cnndbecl.exe 87 PID 4852 wrote to memory of 4532 4852 Cnndbecl.exe 87 PID 4532 wrote to memory of 3036 4532 Djeegf32.exe 88 PID 4532 wrote to memory of 3036 4532 Djeegf32.exe 88 PID 4532 wrote to memory of 3036 4532 Djeegf32.exe 88 PID 3036 wrote to memory of 3916 3036 Dqomdppm.exe 89 PID 3036 wrote to memory of 3916 3036 Dqomdppm.exe 89 PID 3036 wrote to memory of 3916 3036 Dqomdppm.exe 89 PID 3916 wrote to memory of 1280 3916 Eonmkkmj.exe 90 PID 3916 wrote to memory of 1280 3916 Eonmkkmj.exe 90 PID 3916 wrote to memory of 1280 3916 Eonmkkmj.exe 90 PID 1280 wrote to memory of 2332 1280 Eqmjen32.exe 91 PID 1280 wrote to memory of 2332 1280 Eqmjen32.exe 91 PID 1280 wrote to memory of 2332 1280 Eqmjen32.exe 91 PID 2332 wrote to memory of 2492 2332 Ecblbi32.exe 92 PID 2332 wrote to memory of 2492 2332 Ecblbi32.exe 92 PID 2332 wrote to memory of 2492 2332 Ecblbi32.exe 92 PID 2492 wrote to memory of 3596 2492 Fnhppa32.exe 93 PID 2492 wrote to memory of 3596 2492 Fnhppa32.exe 93 PID 2492 wrote to memory of 3596 2492 Fnhppa32.exe 93 PID 3596 wrote to memory of 5104 3596 Fgqehgco.exe 94 PID 3596 wrote to memory of 5104 3596 Fgqehgco.exe 94 PID 3596 wrote to memory of 5104 3596 Fgqehgco.exe 94 PID 5104 wrote to memory of 1528 5104 Fnjmea32.exe 95 PID 5104 wrote to memory of 1528 5104 Fnjmea32.exe 95 PID 5104 wrote to memory of 1528 5104 Fnjmea32.exe 95 PID 1528 wrote to memory of 1404 1528 Fcgemhic.exe 96 PID 1528 wrote to memory of 1404 1528 Fcgemhic.exe 96 PID 1528 wrote to memory of 1404 1528 Fcgemhic.exe 96 PID 1404 wrote to memory of 2476 1404 Fjanjb32.exe 97 PID 1404 wrote to memory of 2476 1404 Fjanjb32.exe 97 PID 1404 wrote to memory of 2476 1404 Fjanjb32.exe 97 PID 2476 wrote to memory of 1176 2476 Fmpjfn32.exe 98 PID 2476 wrote to memory of 1176 2476 Fmpjfn32.exe 98 PID 2476 wrote to memory of 1176 2476 Fmpjfn32.exe 98 PID 1176 wrote to memory of 4368 1176 Fpnfbi32.exe 99 PID 1176 wrote to memory of 4368 1176 Fpnfbi32.exe 99 PID 1176 wrote to memory of 4368 1176 Fpnfbi32.exe 99 PID 4368 wrote to memory of 4440 4368 Fgencf32.exe 100 PID 4368 wrote to memory of 4440 4368 Fgencf32.exe 100 PID 4368 wrote to memory of 4440 4368 Fgencf32.exe 100 PID 4440 wrote to memory of 2672 4440 Fnofpqff.exe 101 PID 4440 wrote to memory of 2672 4440 Fnofpqff.exe 101 PID 4440 wrote to memory of 2672 4440 Fnofpqff.exe 101 PID 2672 wrote to memory of 2196 2672 Fanbll32.exe 102 PID 2672 wrote to memory of 2196 2672 Fanbll32.exe 102 PID 2672 wrote to memory of 2196 2672 Fanbll32.exe 102 PID 2196 wrote to memory of 3816 2196 Fclohg32.exe 103 PID 2196 wrote to memory of 3816 2196 Fclohg32.exe 103 PID 2196 wrote to memory of 3816 2196 Fclohg32.exe 103 PID 3816 wrote to memory of 4628 3816 Fjfgealk.exe 104 PID 3816 wrote to memory of 4628 3816 Fjfgealk.exe 104 PID 3816 wrote to memory of 4628 3816 Fjfgealk.exe 104 PID 4628 wrote to memory of 920 4628 Fmdcamko.exe 105 PID 4628 wrote to memory of 920 4628 Fmdcamko.exe 105 PID 4628 wrote to memory of 920 4628 Fmdcamko.exe 105 PID 920 wrote to memory of 4644 920 Fpbpmhjb.exe 106 PID 920 wrote to memory of 4644 920 Fpbpmhjb.exe 106 PID 920 wrote to memory of 4644 920 Fpbpmhjb.exe 106 PID 4644 wrote to memory of 3440 4644 Ggjgofkd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe"C:\Users\Admin\AppData\Local\Temp\e2959cfd4397d6521348b47dd05b3920f7ed4c00798dda08d614e0f69e19cb4e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Cnndbecl.exeC:\Windows\system32\Cnndbecl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Djeegf32.exeC:\Windows\system32\Djeegf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Eqmjen32.exeC:\Windows\system32\Eqmjen32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ecblbi32.exeC:\Windows\system32\Ecblbi32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Fgqehgco.exeC:\Windows\system32\Fgqehgco.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Fcgemhic.exeC:\Windows\system32\Fcgemhic.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Fjanjb32.exeC:\Windows\system32\Fjanjb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Fgencf32.exeC:\Windows\system32\Fgencf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\Fnofpqff.exeC:\Windows\system32\Fnofpqff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\Fanbll32.exeC:\Windows\system32\Fanbll32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fclohg32.exeC:\Windows\system32\Fclohg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Fmdcamko.exeC:\Windows\system32\Fmdcamko.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Fpbpmhjb.exeC:\Windows\system32\Fpbpmhjb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Ggjgofkd.exeC:\Windows\system32\Ggjgofkd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Gjhdkajh.exeC:\Windows\system32\Gjhdkajh.exe23⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Gmfpgmil.exeC:\Windows\system32\Gmfpgmil.exe24⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Gpelchhp.exeC:\Windows\system32\Gpelchhp.exe25⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Gfodpbpl.exeC:\Windows\system32\Gfodpbpl.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Gnfmapqo.exeC:\Windows\system32\Gnfmapqo.exe27⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gadimkpb.exeC:\Windows\system32\Gadimkpb.exe28⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Gcceifof.exeC:\Windows\system32\Gcceifof.exe29⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Gfaaebnj.exeC:\Windows\system32\Gfaaebnj.exe30⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Ghanoeel.exeC:\Windows\system32\Ghanoeel.exe31⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Gjojkpdp.exeC:\Windows\system32\Gjojkpdp.exe32⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Gmnfglcd.exeC:\Windows\system32\Gmnfglcd.exe33⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gplbcgbg.exeC:\Windows\system32\Gplbcgbg.exe34⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe35⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Gjagapbn.exeC:\Windows\system32\Gjagapbn.exe36⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Gmpcmkaa.exeC:\Windows\system32\Gmpcmkaa.exe37⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe38⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hfhgfaha.exeC:\Windows\system32\Hfhgfaha.exe39⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Hnpognhd.exeC:\Windows\system32\Hnpognhd.exe40⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe41⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Hdlhoefk.exeC:\Windows\system32\Hdlhoefk.exe42⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Hjfplo32.exeC:\Windows\system32\Hjfplo32.exe43⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Hdodeedi.exeC:\Windows\system32\Hdodeedi.exe45⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Hfmqapcl.exeC:\Windows\system32\Hfmqapcl.exe46⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Hndibn32.exeC:\Windows\system32\Hndibn32.exe47⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Hpeejfjm.exeC:\Windows\system32\Hpeejfjm.exe48⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Hhmmkcko.exeC:\Windows\system32\Hhmmkcko.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hjkigojc.exeC:\Windows\system32\Hjkigojc.exe50⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe51⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Hdcnpd32.exeC:\Windows\system32\Hdcnpd32.exe52⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Hfajlp32.exeC:\Windows\system32\Hfajlp32.exe53⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Hoibmmpi.exeC:\Windows\system32\Hoibmmpi.exe54⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Hagnihom.exeC:\Windows\system32\Hagnihom.exe55⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Ihagfb32.exeC:\Windows\system32\Ihagfb32.exe56⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe57⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe58⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe59⤵
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe60⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Ionlhlld.exeC:\Windows\system32\Ionlhlld.exe61⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\Ipohpdbb.exeC:\Windows\system32\Ipohpdbb.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Ihfpabbd.exeC:\Windows\system32\Ihfpabbd.exe63⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\Ikdlmmbh.exeC:\Windows\system32\Ikdlmmbh.exe64⤵
- Executes dropped EXE
PID:5512 -
C:\Windows\SysWOW64\Iandjg32.exeC:\Windows\system32\Iandjg32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\Idmafc32.exeC:\Windows\system32\Idmafc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Igkmbn32.exeC:\Windows\system32\Igkmbn32.exe67⤵PID:5632
-
C:\Windows\SysWOW64\Imeeohoi.exeC:\Windows\system32\Imeeohoi.exe68⤵PID:5672
-
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe69⤵PID:5712
-
C:\Windows\SysWOW64\Ihkila32.exeC:\Windows\system32\Ihkila32.exe70⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Iodaikfl.exeC:\Windows\system32\Iodaikfl.exe71⤵
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Jacnegep.exeC:\Windows\system32\Jacnegep.exe72⤵PID:5832
-
C:\Windows\SysWOW64\Jhmfba32.exeC:\Windows\system32\Jhmfba32.exe73⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Jkkbnl32.exeC:\Windows\system32\Jkkbnl32.exe74⤵PID:5912
-
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe75⤵PID:5952
-
C:\Windows\SysWOW64\Jddggb32.exeC:\Windows\system32\Jddggb32.exe76⤵PID:5992
-
C:\Windows\SysWOW64\Jgbccm32.exeC:\Windows\system32\Jgbccm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Jmlkpgia.exeC:\Windows\system32\Jmlkpgia.exe78⤵
- Modifies registry class
PID:6072 -
C:\Windows\SysWOW64\Jdfcla32.exeC:\Windows\system32\Jdfcla32.exe79⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\Jgdphm32.exeC:\Windows\system32\Jgdphm32.exe80⤵PID:3040
-
C:\Windows\SysWOW64\Jmnheggo.exeC:\Windows\system32\Jmnheggo.exe81⤵PID:1836
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3612 -
C:\Windows\SysWOW64\Jhdlbp32.exeC:\Windows\system32\Jhdlbp32.exe83⤵PID:4480
-
C:\Windows\SysWOW64\Jondojna.exeC:\Windows\system32\Jondojna.exe84⤵PID:2236
-
C:\Windows\SysWOW64\Jalakeme.exeC:\Windows\system32\Jalakeme.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Jdkmgali.exeC:\Windows\system32\Jdkmgali.exe86⤵PID:3180
-
C:\Windows\SysWOW64\Jkeedk32.exeC:\Windows\system32\Jkeedk32.exe87⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Kaonaekb.exeC:\Windows\system32\Kaonaekb.exe88⤵PID:5264
-
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe89⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Kkgbjkac.exeC:\Windows\system32\Kkgbjkac.exe90⤵PID:5428
-
C:\Windows\SysWOW64\Knenffqf.exeC:\Windows\system32\Knenffqf.exe91⤵PID:5504
-
C:\Windows\SysWOW64\Kpdjbapj.exeC:\Windows\system32\Kpdjbapj.exe92⤵PID:5580
-
C:\Windows\SysWOW64\Kgnbol32.exeC:\Windows\system32\Kgnbol32.exe93⤵PID:5660
-
C:\Windows\SysWOW64\Koekpi32.exeC:\Windows\system32\Koekpi32.exe94⤵PID:5736
-
C:\Windows\SysWOW64\Kacgld32.exeC:\Windows\system32\Kacgld32.exe95⤵PID:5816
-
C:\Windows\SysWOW64\Khmoionj.exeC:\Windows\system32\Khmoionj.exe96⤵PID:5880
-
C:\Windows\SysWOW64\Koggehff.exeC:\Windows\system32\Koggehff.exe97⤵PID:5960
-
C:\Windows\SysWOW64\Kafcadej.exeC:\Windows\system32\Kafcadej.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe99⤵PID:6100
-
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe100⤵PID:1868
-
C:\Windows\SysWOW64\Knldfe32.exeC:\Windows\system32\Knldfe32.exe101⤵PID:3788
-
C:\Windows\SysWOW64\Kdfmcobk.exeC:\Windows\system32\Kdfmcobk.exe102⤵PID:2864
-
C:\Windows\SysWOW64\Kgeiokao.exeC:\Windows\system32\Kgeiokao.exe103⤵PID:4112
-
C:\Windows\SysWOW64\Kolaqh32.exeC:\Windows\system32\Kolaqh32.exe104⤵PID:6156
-
C:\Windows\SysWOW64\Lajmmc32.exeC:\Windows\system32\Lajmmc32.exe105⤵PID:6192
-
C:\Windows\SysWOW64\Lhdeinhb.exeC:\Windows\system32\Lhdeinhb.exe106⤵
- System Location Discovery: System Language Discovery
PID:6236 -
C:\Windows\SysWOW64\Lkcaeige.exeC:\Windows\system32\Lkcaeige.exe107⤵PID:6276
-
C:\Windows\SysWOW64\Lamjbc32.exeC:\Windows\system32\Lamjbc32.exe108⤵PID:6316
-
C:\Windows\SysWOW64\Ldkfno32.exeC:\Windows\system32\Ldkfno32.exe109⤵PID:6356
-
C:\Windows\SysWOW64\Lkenkhec.exeC:\Windows\system32\Lkenkhec.exe110⤵PID:6396
-
C:\Windows\SysWOW64\Lncjgddf.exeC:\Windows\system32\Lncjgddf.exe111⤵PID:6436
-
C:\Windows\SysWOW64\Lqbgcp32.exeC:\Windows\system32\Lqbgcp32.exe112⤵PID:6472
-
C:\Windows\SysWOW64\Lglopjkg.exeC:\Windows\system32\Lglopjkg.exe113⤵PID:6516
-
C:\Windows\SysWOW64\Locgagli.exeC:\Windows\system32\Locgagli.exe114⤵PID:6556
-
C:\Windows\SysWOW64\Laacmbkm.exeC:\Windows\system32\Laacmbkm.exe115⤵PID:6596
-
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe116⤵PID:6636
-
C:\Windows\SysWOW64\Lkjhfh32.exeC:\Windows\system32\Lkjhfh32.exe117⤵PID:6676
-
C:\Windows\SysWOW64\Ladpcb32.exeC:\Windows\system32\Ladpcb32.exe118⤵PID:6716
-
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe119⤵PID:6756
-
C:\Windows\SysWOW64\Lkldlgok.exeC:\Windows\system32\Lkldlgok.exe120⤵
- Modifies registry class
PID:6796 -
C:\Windows\SysWOW64\Mnjqhcno.exeC:\Windows\system32\Mnjqhcno.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-