Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 17:27
Behavioral task
behavioral1
Sample
022e6b19ca261c4bfa1f1c5a5c4974fc.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
022e6b19ca261c4bfa1f1c5a5c4974fc.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
022e6b19ca261c4bfa1f1c5a5c4974fc.exe
-
Size
1.2MB
-
MD5
022e6b19ca261c4bfa1f1c5a5c4974fc
-
SHA1
e8cfa171f831345652e24c7c1ad3b3cf967f0b69
-
SHA256
6b34067b98936dc636474a01b1d1f9fecfc41cedd6433ace42398f35574a5bfe
-
SHA512
16cf683723e81ca9b45f07480b4ecfb8721a0d1aa3be15308fe47ef1b8a1d4142f74e2a5a8946830ff547fd7608c0e6ec705b41ae9fb64f957e0b4418d86236e
-
SSDEEP
12288:Ah4Osf0FHCXwpnsKvNA+XTvZHWuEo3oWbvrec:d0ZpsKv2EvZHp3oWbvrec
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbkeib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekklaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplkpgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkjcplpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpqdkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcbellac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdbbloa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjlqhoba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhahlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmneda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkndaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iajcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkcbgek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Baqbenep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jejhecaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfgebbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qedhdjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokcgmee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pclfkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Moiklogi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jifdebic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekelld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcihlong.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2324-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2324-6-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x000d0000000139d9-5.dat family_berbew behavioral1/files/0x0007000000014216-18.dat family_berbew behavioral1/memory/2612-20-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x000700000001430e-32.dat family_berbew behavioral1/memory/1472-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00090000000143fa-53.dat family_berbew behavioral1/memory/2680-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014e5a-61.dat family_berbew behavioral1/memory/2424-74-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015136-75.dat family_berbew behavioral1/memory/2424-77-0x0000000000270000-0x00000000002B1000-memory.dmp family_berbew behavioral1/memory/2896-83-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0033000000014183-89.dat family_berbew behavioral1/memory/2600-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000155e3-103.dat family_berbew behavioral1/memory/2788-110-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015b13-116.dat family_berbew behavioral1/files/0x0006000000015bb9-130.dat family_berbew behavioral1/memory/2928-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/380-138-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015c6d-150.dat family_berbew behavioral1/memory/2032-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015c86-158.dat family_berbew behavioral1/memory/2360-167-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca5-173.dat family_berbew behavioral1/memory/2360-179-0x0000000000300000-0x0000000000341000-memory.dmp family_berbew behavioral1/memory/1852-181-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015cca-206.dat family_berbew behavioral1/memory/488-207-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1408-226-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1712-237-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/856-248-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015f9e-252.dat family_berbew behavioral1/memory/984-267-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2144-302-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1656-309-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2532-381-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2904-401-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017474-437.dat family_berbew behavioral1/files/0x0005000000019410-568.dat family_berbew behavioral1/files/0x00050000000195e6-612.dat family_berbew behavioral1/files/0x00050000000195ea-621.dat family_berbew behavioral1/files/0x00050000000195fc-677.dat family_berbew behavioral1/files/0x00050000000198c6-721.dat family_berbew behavioral1/files/0x0005000000019c2f-745.dat family_berbew behavioral1/files/0x0005000000019d94-756.dat family_berbew behavioral1/files/0x0005000000019dc1-768.dat family_berbew behavioral1/files/0x000500000001a079-791.dat family_berbew behavioral1/files/0x000500000001a3db-815.dat family_berbew behavioral1/files/0x000500000001a48a-865.dat family_berbew behavioral1/files/0x000500000001a4b0-893.dat family_berbew behavioral1/files/0x000500000001a4b4-904.dat family_berbew behavioral1/files/0x000500000001a4c0-950.dat family_berbew behavioral1/files/0x000500000001a4bc-933.dat family_berbew behavioral1/files/0x000500000001a4c5-961.dat family_berbew behavioral1/files/0x000500000001a4b8-920.dat family_berbew behavioral1/files/0x000500000001a4a0-877.dat family_berbew behavioral1/files/0x000500000001a4c9-979.dat family_berbew behavioral1/files/0x000500000001a4d2-1005.dat family_berbew behavioral1/files/0x000500000001a4cd-987.dat family_berbew behavioral1/files/0x000500000001a4d6-1018.dat family_berbew behavioral1/files/0x000500000001a471-853.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2612 Nqqdag32.exe 2636 Ngkmnacm.exe 1472 Nccjhafn.exe 2680 Onmkio32.exe 2424 Odjpkihg.exe 2896 Oqqapjnk.exe 2600 Pfbccp32.exe 2788 Piblek32.exe 2928 Piehkkcl.exe 380 Ppoqge32.exe 2032 Pijbfj32.exe 2360 Ajphib32.exe 1852 Adjigg32.exe 2076 Ambmpmln.exe 488 Apajlhka.exe 1408 Abpfhcje.exe 1712 Amejeljk.exe 856 Aoffmd32.exe 1436 Afmonbqk.exe 984 Ahokfj32.exe 1924 Boiccdnf.exe 2820 Bagpopmj.exe 2144 Bhahlj32.exe 1656 Baildokg.exe 2852 Bloqah32.exe 1272 Balijo32.exe 1560 Bnbjopoi.exe 2564 Banepo32.exe 2756 Bdlblj32.exe 2532 Bkfjhd32.exe 2588 Baqbenep.exe 2904 Bdooajdc.exe 2616 Cgmkmecg.exe 2760 Cjlgiqbk.exe 2044 Cpeofk32.exe 2300 Cgpgce32.exe 2396 Cnippoha.exe 280 Cllpkl32.exe 712 Ccfhhffh.exe 2128 Cfeddafl.exe 808 Chcqpmep.exe 1444 Clomqk32.exe 3036 Comimg32.exe 1008 Cbkeib32.exe 932 Cjbmjplb.exe 1692 Ckdjbh32.exe 2864 Cckace32.exe 3024 Cdlnkmha.exe 2512 Ckffgg32.exe 2556 Cndbcc32.exe 2736 Ddokpmfo.exe 2332 Dodonf32.exe 2692 Dhmcfkme.exe 1652 Dbehoa32.exe 2000 Dcfdgiid.exe 1364 Dnlidb32.exe 2780 Dchali32.exe 628 Djbiicon.exe 1608 Dqlafm32.exe 1152 Dfijnd32.exe 1928 Eqonkmdh.exe 2260 Eflgccbp.exe 3064 Emeopn32.exe 2292 Efncicpm.exe -
Loads dropped DLL 64 IoCs
pid Process 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 2612 Nqqdag32.exe 2612 Nqqdag32.exe 2636 Ngkmnacm.exe 2636 Ngkmnacm.exe 1472 Nccjhafn.exe 1472 Nccjhafn.exe 2680 Onmkio32.exe 2680 Onmkio32.exe 2424 Odjpkihg.exe 2424 Odjpkihg.exe 2896 Oqqapjnk.exe 2896 Oqqapjnk.exe 2600 Pfbccp32.exe 2600 Pfbccp32.exe 2788 Piblek32.exe 2788 Piblek32.exe 2928 Piehkkcl.exe 2928 Piehkkcl.exe 380 Ppoqge32.exe 380 Ppoqge32.exe 2032 Pijbfj32.exe 2032 Pijbfj32.exe 2360 Ajphib32.exe 2360 Ajphib32.exe 1852 Adjigg32.exe 1852 Adjigg32.exe 2076 Ambmpmln.exe 2076 Ambmpmln.exe 488 Apajlhka.exe 488 Apajlhka.exe 1408 Abpfhcje.exe 1408 Abpfhcje.exe 1712 Amejeljk.exe 1712 Amejeljk.exe 856 Aoffmd32.exe 856 Aoffmd32.exe 1436 Afmonbqk.exe 1436 Afmonbqk.exe 984 Ahokfj32.exe 984 Ahokfj32.exe 1924 Boiccdnf.exe 1924 Boiccdnf.exe 2820 Bagpopmj.exe 2820 Bagpopmj.exe 2144 Bhahlj32.exe 2144 Bhahlj32.exe 1656 Baildokg.exe 1656 Baildokg.exe 2852 Bloqah32.exe 2852 Bloqah32.exe 1540 Bghabf32.exe 1540 Bghabf32.exe 1560 Bnbjopoi.exe 1560 Bnbjopoi.exe 2564 Banepo32.exe 2564 Banepo32.exe 2756 Bdlblj32.exe 2756 Bdlblj32.exe 2532 Bkfjhd32.exe 2532 Bkfjhd32.exe 2588 Baqbenep.exe 2588 Baqbenep.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Baildokg.exe Bhahlj32.exe File opened for modification C:\Windows\SysWOW64\Dhpiojfb.exe Djmicm32.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Gjfdhbld.exe File created C:\Windows\SysWOW64\Ccfcekqe.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Bjdmohgl.dll Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File created C:\Windows\SysWOW64\Pabfdklg.dll Ghhofmql.exe File created C:\Windows\SysWOW64\Lihmjejl.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Bocolb32.exe Bppoqeja.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Fidoim32.exe Effcma32.exe File opened for modification C:\Windows\SysWOW64\Iipgcaob.exe Iedkbc32.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Meijhc32.exe File opened for modification C:\Windows\SysWOW64\Adjigg32.exe Ajphib32.exe File created C:\Windows\SysWOW64\Mkgfckcj.exe Mgljbm32.exe File created C:\Windows\SysWOW64\Kcbabf32.dll Ednpej32.exe File created C:\Windows\SysWOW64\Lbiqfied.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Lajhofao.exe Lmolnh32.exe File created C:\Windows\SysWOW64\Mooaljkh.exe Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Dbehoa32.exe Dhmcfkme.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gangic32.exe File created C:\Windows\SysWOW64\Kifpdelo.exe Kjcpii32.exe File created C:\Windows\SysWOW64\Lkncmmle.exe Llkbap32.exe File created C:\Windows\SysWOW64\Cfnlkbne.dll Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Pkpagq32.exe Pciifc32.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe File created C:\Windows\SysWOW64\Dlkepi32.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Emdipg32.dll Jofiln32.exe File opened for modification C:\Windows\SysWOW64\Cjbmjplb.exe Cbkeib32.exe File created C:\Windows\SysWOW64\Ldflna32.dll Jqfffqpm.exe File opened for modification C:\Windows\SysWOW64\Olmhdf32.exe Ojolhk32.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kocbkk32.exe File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe Dodonf32.exe File opened for modification C:\Windows\SysWOW64\Facdeo32.exe Fjilieka.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aidnohbk.exe File created C:\Windows\SysWOW64\Aadlcdpk.dll Lmikibio.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jfqahgpg.exe File created C:\Windows\SysWOW64\Iefmgahq.dll Bocolb32.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Ebodiofk.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Ieidmbcc.exe File created C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File created C:\Windows\SysWOW64\Ehllae32.dll Iokfhi32.exe File created C:\Windows\SysWOW64\Ofbjgh32.dll Mlkopcge.exe File created C:\Windows\SysWOW64\Efkdgmla.dll Aehboi32.exe File created C:\Windows\SysWOW64\Cdlgpgef.exe Cldooj32.exe File opened for modification C:\Windows\SysWOW64\Fllnlg32.exe Fcefji32.exe File created C:\Windows\SysWOW64\Ompoljfn.dll Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Aipddi32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Mecbia32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Dcadac32.exe Djhphncm.exe File created C:\Windows\SysWOW64\Kklpekno.exe Kmjojo32.exe File opened for modification C:\Windows\SysWOW64\Limfed32.exe Lliflp32.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Ionkallc.dll Ombapedi.exe File created C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Ckccgane.exe Cclkfdnc.exe File created C:\Windows\SysWOW64\Jgcdki32.exe Jqilooij.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Baildokg.exe File created C:\Windows\SysWOW64\Cpeofk32.exe Cjlgiqbk.exe File opened for modification C:\Windows\SysWOW64\Konojnki.dll Kcihlong.exe -
Program crash 1 IoCs
pid pid_target Process 5276 5196 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emmcaafi.dll" Mcbjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnobnmpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll" Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll" Eibbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apimacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hakphqja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpekon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konojnki.dll" Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ejmebq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eplkpgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfkjnkib.dll" Pfjbgnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfnkn32.dll" Ginnnooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bloqah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjlonii.dll" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boqbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll" Cdlnkmha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dqlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Gdamqndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kblhgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkeimlfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjlgm32.dll" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nclpan32.dll" Kaaijdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pklhlael.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnjb32.dll" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgpon32.dll" Ilncom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikfj32.dll" Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfmnkb.dll" Bhahlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjmhe32.dll" Ikbgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loolpo32.dll" Mbpnanch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll" Ckffgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aipddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhnql32.dll" Hmfjha32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2612 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 28 PID 2324 wrote to memory of 2612 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 28 PID 2324 wrote to memory of 2612 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 28 PID 2324 wrote to memory of 2612 2324 022e6b19ca261c4bfa1f1c5a5c4974fc.exe 28 PID 2612 wrote to memory of 2636 2612 Nqqdag32.exe 29 PID 2612 wrote to memory of 2636 2612 Nqqdag32.exe 29 PID 2612 wrote to memory of 2636 2612 Nqqdag32.exe 29 PID 2612 wrote to memory of 2636 2612 Nqqdag32.exe 29 PID 2636 wrote to memory of 1472 2636 Ngkmnacm.exe 30 PID 2636 wrote to memory of 1472 2636 Ngkmnacm.exe 30 PID 2636 wrote to memory of 1472 2636 Ngkmnacm.exe 30 PID 2636 wrote to memory of 1472 2636 Ngkmnacm.exe 30 PID 1472 wrote to memory of 2680 1472 Nccjhafn.exe 31 PID 1472 wrote to memory of 2680 1472 Nccjhafn.exe 31 PID 1472 wrote to memory of 2680 1472 Nccjhafn.exe 31 PID 1472 wrote to memory of 2680 1472 Nccjhafn.exe 31 PID 2680 wrote to memory of 2424 2680 Onmkio32.exe 32 PID 2680 wrote to memory of 2424 2680 Onmkio32.exe 32 PID 2680 wrote to memory of 2424 2680 Onmkio32.exe 32 PID 2680 wrote to memory of 2424 2680 Onmkio32.exe 32 PID 2424 wrote to memory of 2896 2424 Odjpkihg.exe 33 PID 2424 wrote to memory of 2896 2424 Odjpkihg.exe 33 PID 2424 wrote to memory of 2896 2424 Odjpkihg.exe 33 PID 2424 wrote to memory of 2896 2424 Odjpkihg.exe 33 PID 2896 wrote to memory of 2600 2896 Oqqapjnk.exe 34 PID 2896 wrote to memory of 2600 2896 Oqqapjnk.exe 34 PID 2896 wrote to memory of 2600 2896 Oqqapjnk.exe 34 PID 2896 wrote to memory of 2600 2896 Oqqapjnk.exe 34 PID 2600 wrote to memory of 2788 2600 Pfbccp32.exe 35 PID 2600 wrote to memory of 2788 2600 Pfbccp32.exe 35 PID 2600 wrote to memory of 2788 2600 Pfbccp32.exe 35 PID 2600 wrote to memory of 2788 2600 Pfbccp32.exe 35 PID 2788 wrote to memory of 2928 2788 Piblek32.exe 36 PID 2788 wrote to memory of 2928 2788 Piblek32.exe 36 PID 2788 wrote to memory of 2928 2788 Piblek32.exe 36 PID 2788 wrote to memory of 2928 2788 Piblek32.exe 36 PID 2928 wrote to memory of 380 2928 Piehkkcl.exe 37 PID 2928 wrote to memory of 380 2928 Piehkkcl.exe 37 PID 2928 wrote to memory of 380 2928 Piehkkcl.exe 37 PID 2928 wrote to memory of 380 2928 Piehkkcl.exe 37 PID 380 wrote to memory of 2032 380 Ppoqge32.exe 38 PID 380 wrote to memory of 2032 380 Ppoqge32.exe 38 PID 380 wrote to memory of 2032 380 Ppoqge32.exe 38 PID 380 wrote to memory of 2032 380 Ppoqge32.exe 38 PID 2032 wrote to memory of 2360 2032 Pijbfj32.exe 39 PID 2032 wrote to memory of 2360 2032 Pijbfj32.exe 39 PID 2032 wrote to memory of 2360 2032 Pijbfj32.exe 39 PID 2032 wrote to memory of 2360 2032 Pijbfj32.exe 39 PID 2360 wrote to memory of 1852 2360 Ajphib32.exe 40 PID 2360 wrote to memory of 1852 2360 Ajphib32.exe 40 PID 2360 wrote to memory of 1852 2360 Ajphib32.exe 40 PID 2360 wrote to memory of 1852 2360 Ajphib32.exe 40 PID 1852 wrote to memory of 2076 1852 Adjigg32.exe 41 PID 1852 wrote to memory of 2076 1852 Adjigg32.exe 41 PID 1852 wrote to memory of 2076 1852 Adjigg32.exe 41 PID 1852 wrote to memory of 2076 1852 Adjigg32.exe 41 PID 2076 wrote to memory of 488 2076 Ambmpmln.exe 42 PID 2076 wrote to memory of 488 2076 Ambmpmln.exe 42 PID 2076 wrote to memory of 488 2076 Ambmpmln.exe 42 PID 2076 wrote to memory of 488 2076 Ambmpmln.exe 42 PID 488 wrote to memory of 1408 488 Apajlhka.exe 43 PID 488 wrote to memory of 1408 488 Apajlhka.exe 43 PID 488 wrote to memory of 1408 488 Apajlhka.exe 43 PID 488 wrote to memory of 1408 488 Apajlhka.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e6b19ca261c4bfa1f1c5a5c4974fc.exe"C:\Users\Admin\AppData\Local\Temp\022e6b19ca261c4bfa1f1c5a5c4974fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe27⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe34⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe35⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe37⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe38⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe40⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe41⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe42⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe43⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe44⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe45⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe47⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe48⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe49⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe56⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe57⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe58⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe59⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe60⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe63⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe64⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe65⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe66⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe68⤵PID:2388
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe69⤵PID:2640
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe70⤵PID:2008
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe71⤵PID:1872
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe72⤵PID:952
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe73⤵PID:2328
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe74⤵PID:868
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe75⤵PID:2244
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe77⤵
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe78⤵PID:1260
-
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe79⤵PID:1908
-
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe80⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe81⤵PID:1516
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe82⤵PID:3044
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe83⤵PID:2552
-
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe84⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe85⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe87⤵PID:2236
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe89⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe90⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe91⤵PID:1440
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe92⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe93⤵PID:2952
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe95⤵PID:2440
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe97⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe98⤵PID:2888
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe99⤵PID:2796
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe100⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe102⤵PID:2448
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe103⤵
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe104⤵PID:1424
-
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe105⤵PID:1136
-
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe106⤵PID:2248
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe107⤵PID:2816
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe108⤵PID:656
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe109⤵PID:2188
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1916 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe111⤵PID:2312
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe112⤵PID:788
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe114⤵PID:1756
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe115⤵PID:1716
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe116⤵PID:2392
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe117⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe119⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe120⤵PID:3000
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe121⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-