Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2023, 16:41
Behavioral task
behavioral1
Sample
cbc90c2f1f451db213486f7b2dcbdcbe.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cbc90c2f1f451db213486f7b2dcbdcbe.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cbc90c2f1f451db213486f7b2dcbdcbe.exe
-
Size
305KB
-
MD5
cbc90c2f1f451db213486f7b2dcbdcbe
-
SHA1
c7dd65ccaf8f058d9dce97a4d6e6451c1a8c554f
-
SHA256
8a1b6d77bed5ce65921126c0508d70869d478cd928267e7025eadbcd36a88472
-
SHA512
23d78116fcab977d48c60fe3fbbaa103cd03e2b1bdf765a53862bcb5888fedb2f2abe4f1ba8464fdf316589b281f23779c41d3fe3454f84af286dcb9198a67fe
-
SSDEEP
6144:kDbiSbF8JdegNxunXe8yhrtMsQBvli+RQFdq:Ob67vAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ockdmmoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgnqgqan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlkfbocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqkondfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjnqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alqjpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocnlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnnbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hibjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlglidlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enjfli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklmpalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opclldhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kakmna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fklcgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiokinbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ampaho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iomoenej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpeiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enemaimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcbnnpka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfgkffn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmmqheb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbnlaldg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccppmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibaeen32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2052-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022dce-6.dat family_berbew behavioral2/files/0x0008000000022dce-7.dat family_berbew behavioral2/memory/1920-12-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022de9-14.dat family_berbew behavioral2/memory/628-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022de9-16.dat family_berbew behavioral2/files/0x0006000000022deb-22.dat family_berbew behavioral2/memory/2004-24-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022deb-23.dat family_berbew behavioral2/files/0x0006000000022ded-30.dat family_berbew behavioral2/memory/4568-32-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022ded-31.dat family_berbew behavioral2/files/0x0006000000022def-38.dat family_berbew behavioral2/memory/220-39-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022def-40.dat family_berbew behavioral2/files/0x0006000000022df2-46.dat family_berbew behavioral2/files/0x0006000000022df2-48.dat family_berbew behavioral2/memory/2660-47-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022df5-54.dat family_berbew behavioral2/memory/3572-55-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022df5-56.dat family_berbew behavioral2/files/0x0008000000022dd1-63.dat family_berbew behavioral2/files/0x0008000000022dd1-62.dat family_berbew behavioral2/memory/4292-64-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022df9-72.dat family_berbew behavioral2/memory/992-71-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfb-78.dat family_berbew behavioral2/files/0x0006000000022df9-70.dat family_berbew behavioral2/memory/1656-80-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022dfb-79.dat family_berbew behavioral2/files/0x0006000000022dfd-86.dat family_berbew behavioral2/files/0x0006000000022dfd-87.dat family_berbew behavioral2/memory/4068-88-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e00-94.dat family_berbew behavioral2/memory/2460-95-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e00-96.dat family_berbew behavioral2/files/0x0006000000022e02-97.dat family_berbew behavioral2/files/0x0006000000022e02-103.dat family_berbew behavioral2/memory/872-104-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e02-102.dat family_berbew behavioral2/files/0x0006000000022e04-111.dat family_berbew behavioral2/files/0x0006000000022e04-110.dat family_berbew behavioral2/memory/1820-112-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e06-118.dat family_berbew behavioral2/memory/428-120-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/3632-131-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e08-127.dat family_berbew behavioral2/files/0x0006000000022e0a-134.dat family_berbew behavioral2/memory/3660-140-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e0e-149.dat family_berbew behavioral2/files/0x0006000000022e0e-150.dat family_berbew behavioral2/files/0x0006000000022e0c-143.dat family_berbew behavioral2/memory/3348-155-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e10-157.dat family_berbew behavioral2/memory/2752-163-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/3080-165-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e10-158.dat family_berbew behavioral2/files/0x0006000000022e0c-142.dat family_berbew behavioral2/files/0x0006000000022e0a-135.dat family_berbew behavioral2/files/0x0006000000022e08-126.dat family_berbew behavioral2/memory/2552-168-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022e12-167.dat family_berbew behavioral2/files/0x0006000000022e12-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1920 Achegd32.exe 628 Alqjpi32.exe 2004 Aoabad32.exe 4568 Ajggomog.exe 220 Bfngdn32.exe 2660 Bjlpjm32.exe 3572 Bjnmpl32.exe 4292 Bkafmd32.exe 992 Bblnindg.exe 1656 Bkdcbd32.exe 4068 Cobkhb32.exe 2460 Cmflbf32.exe 872 Cbeapmll.exe 1820 Ccdnjp32.exe 428 Dbjkkl32.exe 3632 Dmoohe32.exe 3660 Dblgpl32.exe 2752 Dpphjp32.exe 3348 Djelgied.exe 3080 Dlghoa32.exe 2552 Dlieda32.exe 3828 Dlkbjqgm.exe 3268 Ebhglj32.exe 1632 Elpkep32.exe 4836 Emphocjj.exe 1884 Eciplm32.exe 4148 Eppqqn32.exe 1328 Fpbmfn32.exe 4088 Fjhacf32.exe 2076 Fimodc32.exe 648 Ffaong32.exe 4016 Flngfn32.exe 2544 Fjohde32.exe 1912 Fjadje32.exe 1580 Gbmingjo.exe 4012 Gigaka32.exe 4468 Gfkbde32.exe 4460 Glgjlm32.exe 2772 Gfmojenc.exe 2248 Gmggfp32.exe 1128 Gdaociml.exe 4776 Gbfldf32.exe 3736 Hmlpaoaj.exe 5064 Hbhijepa.exe 3864 Hlambk32.exe 5048 Hienlpel.exe 3800 Hginecde.exe 3140 Hmbfbn32.exe 3376 Hcpojd32.exe 3260 Hmechmip.exe 1616 Hgmgqc32.exe 3004 Ingpmmgm.exe 384 Idahjg32.exe 532 Injmcmej.exe 3012 Idcepgmg.exe 2268 Iknmla32.exe 320 Iloidijb.exe 1756 Ipoopgnf.exe 3588 Igigla32.exe 4768 Jpaleglc.exe 2508 Jgkdbacp.exe 4644 Jjjpnlbd.exe 3052 Jgnqgqan.exe 4952 Jlkipgpe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Emphocjj.exe Elpkep32.exe File created C:\Windows\SysWOW64\Ljcpchlo.dll Ieidhh32.exe File opened for modification C:\Windows\SysWOW64\Mjlhgaqp.exe Mcbpjg32.exe File opened for modification C:\Windows\SysWOW64\Fklcgk32.exe Fdbkja32.exe File opened for modification C:\Windows\SysWOW64\Dblgpl32.exe Dmoohe32.exe File opened for modification C:\Windows\SysWOW64\Hmechmip.exe Hcpojd32.exe File created C:\Windows\SysWOW64\Mckdpoji.dll Jnjejjgh.exe File created C:\Windows\SysWOW64\Kmfhkf32.exe Kkeldnpi.exe File created C:\Windows\SysWOW64\Djgdkk32.exe Dgihop32.exe File created C:\Windows\SysWOW64\Jddnfd32.exe Jnjejjgh.exe File created C:\Windows\SysWOW64\Lknojl32.exe Lcggio32.exe File opened for modification C:\Windows\SysWOW64\Qmgelf32.exe Qfmmplad.exe File created C:\Windows\SysWOW64\Ihkjno32.exe Hbnaeh32.exe File created C:\Windows\SysWOW64\Cacmpj32.exe Cgmhcaac.exe File created C:\Windows\SysWOW64\Ljeafb32.exe Lckiihok.exe File created C:\Windows\SysWOW64\Finnef32.exe Fqgedh32.exe File created C:\Windows\SysWOW64\Gdaociml.exe Gmggfp32.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Najmjokc.exe File opened for modification C:\Windows\SysWOW64\Cljobphg.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Hoobdp32.exe Hibjli32.exe File created C:\Windows\SysWOW64\Jgpmmp32.exe Jlkipgpe.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Cdlqqcnl.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dmadco32.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Ejagaj32.exe File created C:\Windows\SysWOW64\Nfaemp32.exe Ncchae32.exe File created C:\Windows\SysWOW64\Fbdnne32.exe Fcbnpnme.exe File opened for modification C:\Windows\SysWOW64\Lmpkadnm.exe Lknojl32.exe File opened for modification C:\Windows\SysWOW64\Gikdkj32.exe Gbalopbn.exe File opened for modification C:\Windows\SysWOW64\Ljnlecmp.exe Lpfgmnfp.exe File created C:\Windows\SysWOW64\Nbbeml32.exe Nodiqp32.exe File opened for modification C:\Windows\SysWOW64\Ehndnh32.exe Ebdlangb.exe File opened for modification C:\Windows\SysWOW64\Eqmlccdi.exe Ekqckmfb.exe File created C:\Windows\SysWOW64\Lgjijmin.exe Lkchelci.exe File created C:\Windows\SysWOW64\Alkijdci.exe Aafemk32.exe File created C:\Windows\SysWOW64\Cbdjeg32.exe Ckjbhmad.exe File opened for modification C:\Windows\SysWOW64\Ieidhh32.exe Ickglm32.exe File opened for modification C:\Windows\SysWOW64\Akblfj32.exe Apmhiq32.exe File created C:\Windows\SysWOW64\Lmpkadnm.exe Lknojl32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Njmhhefi.exe Naecop32.exe File created C:\Windows\SysWOW64\Ajhapb32.dll Nciopppp.exe File opened for modification C:\Windows\SysWOW64\Bjfogbjb.exe Bpqjjjjl.exe File created C:\Windows\SysWOW64\Ppgegd32.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Olaafabl.dll Conanfli.exe File created C:\Windows\SysWOW64\Pbcncibp.exe Omfekbdh.exe File opened for modification C:\Windows\SysWOW64\Hgmgqc32.exe Hmechmip.exe File created C:\Windows\SysWOW64\Adndoe32.exe Aaohcj32.exe File created C:\Windows\SysWOW64\Hipmfjee.exe Gpgind32.exe File created C:\Windows\SysWOW64\Iimcma32.exe Ibcjqgnm.exe File opened for modification C:\Windows\SysWOW64\Jhnojl32.exe Jadgnb32.exe File created C:\Windows\SysWOW64\Bcflijmh.dll Lkalplel.exe File created C:\Windows\SysWOW64\Cqopkcbn.dll Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Nqmojd32.exe Nciopppp.exe File created C:\Windows\SysWOW64\Ccppmc32.exe Cancekeo.exe File created C:\Windows\SysWOW64\Ddcebe32.exe Dmjmekgn.exe File created C:\Windows\SysWOW64\Dfpcgbim.dll Kqphfe32.exe File created C:\Windows\SysWOW64\Ofonqd32.dll Oogpjbbb.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File created C:\Windows\SysWOW64\Cgifbhid.exe Cponen32.exe File opened for modification C:\Windows\SysWOW64\Dgbanq32.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Igigla32.exe Ipoopgnf.exe File created C:\Windows\SysWOW64\Eodolnaf.dll Fbpchb32.exe File created C:\Windows\SysWOW64\Ecdbop32.exe Eaceghcg.exe File created C:\Windows\SysWOW64\Maenpfhk.dll Ooibkpmi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11996 4920 WerFault.exe 624 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqmhqapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll" Ejlnfjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adndoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaajhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblbgn32.dll" Aiplmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjjjgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldipha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eqncnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanpie32.dll" Amfobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll" Hemdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egopbhnc.dll" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpmhdmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll" Ofjqihnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll" Pfandnla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll" Ppnenlka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Jgkdbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Paoollik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpfkpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll" Nmdgikhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gigaka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnlbojee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcflijmh.dll" Lkalplel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekodjiol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll" Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcadhpd.dll" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekljpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll" Kiikpnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnkfj32.dll" Hginecde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgjijmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll" Jaonbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoabad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpbflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll" Fbdnne32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1920 2052 cbc90c2f1f451db213486f7b2dcbdcbe.exe 84 PID 2052 wrote to memory of 1920 2052 cbc90c2f1f451db213486f7b2dcbdcbe.exe 84 PID 2052 wrote to memory of 1920 2052 cbc90c2f1f451db213486f7b2dcbdcbe.exe 84 PID 1920 wrote to memory of 628 1920 Achegd32.exe 85 PID 1920 wrote to memory of 628 1920 Achegd32.exe 85 PID 1920 wrote to memory of 628 1920 Achegd32.exe 85 PID 628 wrote to memory of 2004 628 Alqjpi32.exe 86 PID 628 wrote to memory of 2004 628 Alqjpi32.exe 86 PID 628 wrote to memory of 2004 628 Alqjpi32.exe 86 PID 2004 wrote to memory of 4568 2004 Aoabad32.exe 88 PID 2004 wrote to memory of 4568 2004 Aoabad32.exe 88 PID 2004 wrote to memory of 4568 2004 Aoabad32.exe 88 PID 4568 wrote to memory of 220 4568 Ajggomog.exe 89 PID 4568 wrote to memory of 220 4568 Ajggomog.exe 89 PID 4568 wrote to memory of 220 4568 Ajggomog.exe 89 PID 220 wrote to memory of 2660 220 Bfngdn32.exe 90 PID 220 wrote to memory of 2660 220 Bfngdn32.exe 90 PID 220 wrote to memory of 2660 220 Bfngdn32.exe 90 PID 2660 wrote to memory of 3572 2660 Bjlpjm32.exe 91 PID 2660 wrote to memory of 3572 2660 Bjlpjm32.exe 91 PID 2660 wrote to memory of 3572 2660 Bjlpjm32.exe 91 PID 3572 wrote to memory of 4292 3572 Bjnmpl32.exe 92 PID 3572 wrote to memory of 4292 3572 Bjnmpl32.exe 92 PID 3572 wrote to memory of 4292 3572 Bjnmpl32.exe 92 PID 4292 wrote to memory of 992 4292 Bkafmd32.exe 94 PID 4292 wrote to memory of 992 4292 Bkafmd32.exe 94 PID 4292 wrote to memory of 992 4292 Bkafmd32.exe 94 PID 992 wrote to memory of 1656 992 Bblnindg.exe 95 PID 992 wrote to memory of 1656 992 Bblnindg.exe 95 PID 992 wrote to memory of 1656 992 Bblnindg.exe 95 PID 1656 wrote to memory of 4068 1656 Bkdcbd32.exe 96 PID 1656 wrote to memory of 4068 1656 Bkdcbd32.exe 96 PID 1656 wrote to memory of 4068 1656 Bkdcbd32.exe 96 PID 4068 wrote to memory of 2460 4068 Cobkhb32.exe 97 PID 4068 wrote to memory of 2460 4068 Cobkhb32.exe 97 PID 4068 wrote to memory of 2460 4068 Cobkhb32.exe 97 PID 2460 wrote to memory of 872 2460 Cmflbf32.exe 99 PID 2460 wrote to memory of 872 2460 Cmflbf32.exe 99 PID 2460 wrote to memory of 872 2460 Cmflbf32.exe 99 PID 872 wrote to memory of 1820 872 Cbeapmll.exe 100 PID 872 wrote to memory of 1820 872 Cbeapmll.exe 100 PID 872 wrote to memory of 1820 872 Cbeapmll.exe 100 PID 1820 wrote to memory of 428 1820 Ccdnjp32.exe 101 PID 1820 wrote to memory of 428 1820 Ccdnjp32.exe 101 PID 1820 wrote to memory of 428 1820 Ccdnjp32.exe 101 PID 428 wrote to memory of 3632 428 Dbjkkl32.exe 102 PID 428 wrote to memory of 3632 428 Dbjkkl32.exe 102 PID 428 wrote to memory of 3632 428 Dbjkkl32.exe 102 PID 3632 wrote to memory of 3660 3632 Dmoohe32.exe 103 PID 3632 wrote to memory of 3660 3632 Dmoohe32.exe 103 PID 3632 wrote to memory of 3660 3632 Dmoohe32.exe 103 PID 3660 wrote to memory of 2752 3660 Dblgpl32.exe 104 PID 3660 wrote to memory of 2752 3660 Dblgpl32.exe 104 PID 3660 wrote to memory of 2752 3660 Dblgpl32.exe 104 PID 2752 wrote to memory of 3348 2752 Dpphjp32.exe 105 PID 2752 wrote to memory of 3348 2752 Dpphjp32.exe 105 PID 2752 wrote to memory of 3348 2752 Dpphjp32.exe 105 PID 3348 wrote to memory of 3080 3348 Djelgied.exe 107 PID 3348 wrote to memory of 3080 3348 Djelgied.exe 107 PID 3348 wrote to memory of 3080 3348 Djelgied.exe 107 PID 3080 wrote to memory of 2552 3080 Dlghoa32.exe 106 PID 3080 wrote to memory of 2552 3080 Dlghoa32.exe 106 PID 3080 wrote to memory of 2552 3080 Dlghoa32.exe 106 PID 2552 wrote to memory of 3828 2552 Dlieda32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbc90c2f1f451db213486f7b2dcbdcbe.exe"C:\Users\Admin\AppData\Local\Temp\cbc90c2f1f451db213486f7b2dcbdcbe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe2⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe3⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe5⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe6⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe7⤵
- Executes dropped EXE
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe8⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe9⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe10⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe11⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe12⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe13⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe14⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe15⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe16⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe17⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe18⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe19⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe21⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe23⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe24⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe25⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe26⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe28⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe31⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe32⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe33⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe34⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe35⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe36⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe37⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe39⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe40⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4952 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe46⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe47⤵PID:4032
-
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe48⤵PID:2452
-
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe50⤵PID:5084
-
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe51⤵PID:2612
-
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe52⤵PID:1824
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe53⤵PID:4280
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe54⤵PID:3496
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe55⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe56⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Kmfhkf32.exeC:\Windows\system32\Kmfhkf32.exe57⤵PID:1152
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe58⤵PID:4396
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe59⤵PID:672
-
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe60⤵PID:932
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe62⤵PID:4556
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3952 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe64⤵PID:2264
-
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:464 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe66⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe67⤵
- Drops file in System32 directory
PID:4808 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe68⤵PID:5132
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe69⤵PID:5172
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe71⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe72⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe73⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe74⤵PID:5400
-
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe76⤵PID:5488
-
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe78⤵PID:5576
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe79⤵PID:5620
-
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe80⤵PID:5664
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe81⤵PID:5704
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe83⤵PID:5792
-
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe84⤵PID:5840
-
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe85⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe86⤵PID:5928
-
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe87⤵PID:5972
-
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe88⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe89⤵PID:6048
-
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe90⤵
- Drops file in System32 directory
PID:6100 -
C:\Windows\SysWOW64\Njmhhefi.exeC:\Windows\system32\Njmhhefi.exe91⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe92⤵PID:5168
-
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe93⤵PID:5232
-
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe94⤵
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe95⤵PID:5388
-
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe96⤵PID:5436
-
C:\Windows\SysWOW64\Olanmgig.exeC:\Windows\system32\Olanmgig.exe97⤵PID:5520
-
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe98⤵PID:5584
-
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe99⤵PID:5644
-
C:\Windows\SysWOW64\Omegjomb.exeC:\Windows\system32\Omegjomb.exe100⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe101⤵PID:5784
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe102⤵PID:5888
-
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe103⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe104⤵PID:6036
-
C:\Windows\SysWOW64\Poimpapp.exeC:\Windows\system32\Poimpapp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6136 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe106⤵PID:5216
-
C:\Windows\SysWOW64\Pmoiqneg.exeC:\Windows\system32\Pmoiqneg.exe107⤵PID:5272
-
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe108⤵PID:5424
-
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe109⤵PID:5528
-
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe110⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Pldcjeia.exeC:\Windows\system32\Pldcjeia.exe111⤵PID:5716
-
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Qklmpalf.exeC:\Windows\system32\Qklmpalf.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe115⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Alkijdci.exeC:\Windows\system32\Alkijdci.exe116⤵PID:5392
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe118⤵PID:5692
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe119⤵PID:5936
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe120⤵PID:6108
-
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe121⤵PID:5248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-