Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 03:59
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe
-
Size
128KB
-
MD5
02bc84702be7d2be276b901ba320c222
-
SHA1
12803e4d97cca163888b8452542c3e69bb945d96
-
SHA256
e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9
-
SHA512
3801ed6e6bb3c88fead897c7f225f2b0c1c36ea4ed2a0e28eebf8e64df8d61c5252443f848f94f22a3a283914381912361d5f116d674fd0f4f6427b290e618d5
-
SSDEEP
1536:/ohHOByMqZigeBkryhTugfNI/e5ayGYjefkRVqYCtfnnouy8O6Nuf51TQmQM22Of:/ohkqi3SDglI/e5ayGY6fuynoutkTy2o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcbodli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnemdecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obafnlpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejgko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mppepcfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjcpii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklhlael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbefoai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolhan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoocjfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgdbmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjochdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkncmmle.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000c000000012674-13.dat UPX behavioral1/files/0x000800000001564f-20.dat UPX behavioral1/files/0x000700000001565d-41.dat UPX behavioral1/files/0x0007000000015684-48.dat UPX behavioral1/files/0x0006000000015d87-68.dat UPX behavioral1/files/0x0006000000015e32-75.dat UPX behavioral1/files/0x0006000000015f65-88.dat UPX behavioral1/files/0x000600000001610f-101.dat UPX behavioral1/files/0x000600000001630a-120.dat UPX behavioral1/files/0x000600000001658a-127.dat UPX behavioral1/files/0x0006000000016851-140.dat UPX behavioral1/files/0x0006000000016c44-153.dat UPX behavioral1/files/0x0006000000016c64-173.dat UPX behavioral1/files/0x0006000000016cdc-180.dat UPX behavioral1/files/0x0006000000016d18-193.dat UPX behavioral1/files/0x0006000000016d34-206.dat UPX behavioral1/files/0x0006000000016d3e-220.dat UPX behavioral1/files/0x0036000000014bbc-231.dat UPX behavioral1/files/0x0006000000016d74-240.dat UPX behavioral1/files/0x0006000000016d9d-250.dat UPX behavioral1/files/0x0006000000016db1-260.dat UPX behavioral1/files/0x0006000000016dbe-269.dat UPX behavioral1/files/0x000600000001708b-277.dat UPX behavioral1/files/0x00060000000173d0-291.dat UPX behavioral1/files/0x0015000000018644-300.dat UPX behavioral1/files/0x0005000000018665-311.dat UPX behavioral1/files/0x00050000000186fa-323.dat UPX behavioral1/files/0x000500000001876a-333.dat UPX behavioral1/files/0x0005000000018774-344.dat UPX behavioral1/files/0x0006000000018b5c-354.dat UPX behavioral1/files/0x0006000000018bd2-365.dat UPX behavioral1/files/0x000600000001901c-376.dat UPX behavioral1/files/0x00050000000192eb-387.dat UPX behavioral1/files/0x0005000000019381-398.dat UPX behavioral1/files/0x0005000000019414-409.dat UPX behavioral1/files/0x0005000000019433-423.dat UPX behavioral1/files/0x0005000000019453-431.dat UPX behavioral1/files/0x00050000000194ad-442.dat UPX behavioral1/files/0x00050000000194e1-453.dat UPX behavioral1/files/0x00050000000195ab-464.dat UPX behavioral1/files/0x0005000000019608-475.dat UPX behavioral1/files/0x000500000001960e-486.dat UPX behavioral1/files/0x0005000000019614-497.dat UPX behavioral1/files/0x0005000000019618-508.dat UPX behavioral1/files/0x000500000001961a-519.dat UPX behavioral1/files/0x000500000001961c-530.dat UPX behavioral1/files/0x0005000000019620-541.dat UPX behavioral1/files/0x0005000000019624-551.dat UPX behavioral1/files/0x000500000001966d-563.dat UPX behavioral1/files/0x00050000000196a1-575.dat UPX behavioral1/files/0x000500000001980d-587.dat UPX behavioral1/files/0x0005000000019902-598.dat UPX behavioral1/files/0x0005000000019c46-610.dat UPX behavioral1/files/0x0005000000019c4b-620.dat UPX behavioral1/files/0x0005000000019daf-634.dat UPX behavioral1/files/0x0005000000019ddd-644.dat UPX behavioral1/files/0x000500000001a026-655.dat UPX behavioral1/files/0x000500000001a08e-665.dat UPX behavioral1/files/0x000500000001a0d0-678.dat UPX behavioral1/files/0x000500000001a3fa-688.dat UPX behavioral1/files/0x000500000001a44b-700.dat UPX behavioral1/files/0x000500000001a453-711.dat UPX behavioral1/files/0x000500000001a48f-721.dat UPX behavioral1/files/0x000500000001a4a9-731.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3060 Beehencq.exe 2984 Bommnc32.exe 2684 Balijo32.exe 2704 Bnbjopoi.exe 2464 Bhhnli32.exe 2440 Bnefdp32.exe 3056 Bdooajdc.exe 1620 Cjlgiqbk.exe 2668 Cljcelan.exe 1796 Ccdlbf32.exe 1808 Cnippoha.exe 2204 Ccfhhffh.exe 1036 Chcqpmep.exe 1300 Cfgaiaci.exe 2848 Chemfl32.exe 2136 Cckace32.exe 836 Cdlnkmha.exe 3040 Ckffgg32.exe 1664 Dflkdp32.exe 988 Dhjgal32.exe 1816 Dodonf32.exe 2284 Dqelenlc.exe 1972 Dgodbh32.exe 3000 Dnilobkm.exe 892 Ddcdkl32.exe 1604 Djpmccqq.exe 2080 Dqjepm32.exe 2932 Dchali32.exe 2552 Djbiicon.exe 2560 Dqlafm32.exe 2564 Dcknbh32.exe 2228 Eihfjo32.exe 3024 Eqonkmdh.exe 2352 Eflgccbp.exe 1220 Emeopn32.exe 2724 Epdkli32.exe 696 Efncicpm.exe 1200 Eilpeooq.exe 1516 Enihne32.exe 1328 Efppoc32.exe 2968 Elmigj32.exe 2404 Eajaoq32.exe 1640 Eiaiqn32.exe 2188 Eloemi32.exe 1828 Ealnephf.exe 1356 Fckjalhj.exe 936 Flabbihl.exe 1424 Fnpnndgp.exe 2292 Fejgko32.exe 2264 Ffkcbgek.exe 1596 Fnbkddem.exe 2992 Faagpp32.exe 2688 Fhkpmjln.exe 2636 Ffnphf32.exe 2460 Fmhheqje.exe 2548 Fpfdalii.exe 2164 Fbdqmghm.exe 2716 Fjlhneio.exe 1576 Flmefm32.exe 796 Fddmgjpo.exe 2172 Ffbicfoc.exe 2864 Fiaeoang.exe 1648 Fmlapp32.exe 2904 Gbijhg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 3060 Beehencq.exe 3060 Beehencq.exe 2984 Bommnc32.exe 2984 Bommnc32.exe 2684 Balijo32.exe 2684 Balijo32.exe 2704 Bnbjopoi.exe 2704 Bnbjopoi.exe 2464 Bhhnli32.exe 2464 Bhhnli32.exe 2440 Bnefdp32.exe 2440 Bnefdp32.exe 3056 Bdooajdc.exe 3056 Bdooajdc.exe 1620 Cjlgiqbk.exe 1620 Cjlgiqbk.exe 2668 Cljcelan.exe 2668 Cljcelan.exe 1796 Ccdlbf32.exe 1796 Ccdlbf32.exe 1808 Cnippoha.exe 1808 Cnippoha.exe 2204 Ccfhhffh.exe 2204 Ccfhhffh.exe 1036 Chcqpmep.exe 1036 Chcqpmep.exe 1300 Cfgaiaci.exe 1300 Cfgaiaci.exe 2848 Chemfl32.exe 2848 Chemfl32.exe 2136 Cckace32.exe 2136 Cckace32.exe 836 Cdlnkmha.exe 836 Cdlnkmha.exe 3040 Ckffgg32.exe 3040 Ckffgg32.exe 1664 Dflkdp32.exe 1664 Dflkdp32.exe 988 Dhjgal32.exe 988 Dhjgal32.exe 1816 Dodonf32.exe 1816 Dodonf32.exe 2284 Dqelenlc.exe 2284 Dqelenlc.exe 1972 Dgodbh32.exe 1972 Dgodbh32.exe 3000 Dnilobkm.exe 3000 Dnilobkm.exe 892 Ddcdkl32.exe 892 Ddcdkl32.exe 1604 Djpmccqq.exe 1604 Djpmccqq.exe 2080 Dqjepm32.exe 2080 Dqjepm32.exe 2932 Dchali32.exe 2932 Dchali32.exe 2552 Djbiicon.exe 2552 Djbiicon.exe 2560 Dqlafm32.exe 2560 Dqlafm32.exe 2564 Dcknbh32.exe 2564 Dcknbh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Ndkmpe32.exe File opened for modification C:\Windows\SysWOW64\Bppoqeja.exe Bldcpf32.exe File created C:\Windows\SysWOW64\Dlnbeh32.exe Ddgjdk32.exe File created C:\Windows\SysWOW64\Memeaofm.dll Dhjgal32.exe File created C:\Windows\SysWOW64\Lnnhje32.dll Fmlapp32.exe File created C:\Windows\SysWOW64\Ihoafpmp.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Jooclokl.dll Knjbnh32.exe File created C:\Windows\SysWOW64\Kfegbj32.exe Kgbggnhc.exe File opened for modification C:\Windows\SysWOW64\Mlibjc32.exe Mmfbogcn.exe File opened for modification C:\Windows\SysWOW64\Ckjpacfp.exe Bhkdeggl.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Faagpp32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Eqpofkjo.dll Ihoafpmp.exe File created C:\Windows\SysWOW64\Bmamfo32.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Dpajdp32.dll Ofmbnkhg.exe File created C:\Windows\SysWOW64\Pnlqnl32.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Clkmne32.dll Fidoim32.exe File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe Hpocfncj.exe File created C:\Windows\SysWOW64\Mdkqqa32.exe Mppepcfg.exe File created C:\Windows\SysWOW64\Odbhmo32.dll Eqonkmdh.exe File opened for modification C:\Windows\SysWOW64\Eilpeooq.exe Efncicpm.exe File opened for modification C:\Windows\SysWOW64\Fnpnndgp.exe Flabbihl.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Lajhofao.exe Lollckbk.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mpbaebdd.exe File created C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Bmmiij32.exe Biamilfj.exe File opened for modification C:\Windows\SysWOW64\Dcadac32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Djbiicon.exe Dchali32.exe File created C:\Windows\SysWOW64\Enhacojl.exe Efaibbij.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Cnippoha.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Mdqmicng.dll Nefpnhlc.exe File created C:\Windows\SysWOW64\Ahgnke32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Jehkodcm.exe Jbjochdi.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nejiih32.exe File opened for modification C:\Windows\SysWOW64\Nnennj32.exe Nkgbbo32.exe File created C:\Windows\SysWOW64\Onqamf32.dll Afcenm32.exe File created C:\Windows\SysWOW64\Jejhecaj.exe Jbllihbf.exe File created C:\Windows\SysWOW64\Fbfqed32.dll Lckdanld.exe File opened for modification C:\Windows\SysWOW64\Mmahdggc.exe Mkclhl32.exe File created C:\Windows\SysWOW64\Kaceodek.exe Kneicieh.exe File opened for modification C:\Windows\SysWOW64\Adpkee32.exe Aaaoij32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe File created C:\Windows\SysWOW64\Khejeajg.dll Hpocfncj.exe File opened for modification C:\Windows\SysWOW64\Kjljhjkl.exe Kcbakpdo.exe File opened for modification C:\Windows\SysWOW64\Kpmlkp32.exe Kiccofna.exe File created C:\Windows\SysWOW64\Llgodg32.dll Oqmmpd32.exe File created C:\Windows\SysWOW64\Dejpca32.dll Icmlam32.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File opened for modification C:\Windows\SysWOW64\Kjcpii32.exe Kblhgk32.exe File opened for modification C:\Windows\SysWOW64\Ojolhk32.exe Ngpolo32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Ekelld32.exe Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Beehencq.exe e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe File created C:\Windows\SysWOW64\Hfmpcjge.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Delpclld.dll Mmfbogcn.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Ocimgp32.exe File created C:\Windows\SysWOW64\Oclilp32.exe Oqmmpd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4712 4680 WerFault.exe 377 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omeope32.dll" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baoohhdn.dll" Kcbakpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkpagq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" Dqjepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpbefoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll" Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" Hpocfncj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kblhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll" Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enfenplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahgnke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiqoh32.dll" Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nolhan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfmdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcnpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohfeog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcampgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffbicfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnlqnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anojbobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfgaiaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifcbodli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pflomnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhndldcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjjddchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckafbbph.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 3060 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 28 PID 2184 wrote to memory of 3060 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 28 PID 2184 wrote to memory of 3060 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 28 PID 2184 wrote to memory of 3060 2184 e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe 28 PID 3060 wrote to memory of 2984 3060 Beehencq.exe 29 PID 3060 wrote to memory of 2984 3060 Beehencq.exe 29 PID 3060 wrote to memory of 2984 3060 Beehencq.exe 29 PID 3060 wrote to memory of 2984 3060 Beehencq.exe 29 PID 2984 wrote to memory of 2684 2984 Bommnc32.exe 30 PID 2984 wrote to memory of 2684 2984 Bommnc32.exe 30 PID 2984 wrote to memory of 2684 2984 Bommnc32.exe 30 PID 2984 wrote to memory of 2684 2984 Bommnc32.exe 30 PID 2684 wrote to memory of 2704 2684 Balijo32.exe 31 PID 2684 wrote to memory of 2704 2684 Balijo32.exe 31 PID 2684 wrote to memory of 2704 2684 Balijo32.exe 31 PID 2684 wrote to memory of 2704 2684 Balijo32.exe 31 PID 2704 wrote to memory of 2464 2704 Bnbjopoi.exe 32 PID 2704 wrote to memory of 2464 2704 Bnbjopoi.exe 32 PID 2704 wrote to memory of 2464 2704 Bnbjopoi.exe 32 PID 2704 wrote to memory of 2464 2704 Bnbjopoi.exe 32 PID 2464 wrote to memory of 2440 2464 Bhhnli32.exe 33 PID 2464 wrote to memory of 2440 2464 Bhhnli32.exe 33 PID 2464 wrote to memory of 2440 2464 Bhhnli32.exe 33 PID 2464 wrote to memory of 2440 2464 Bhhnli32.exe 33 PID 2440 wrote to memory of 3056 2440 Bnefdp32.exe 34 PID 2440 wrote to memory of 3056 2440 Bnefdp32.exe 34 PID 2440 wrote to memory of 3056 2440 Bnefdp32.exe 34 PID 2440 wrote to memory of 3056 2440 Bnefdp32.exe 34 PID 3056 wrote to memory of 1620 3056 Bdooajdc.exe 35 PID 3056 wrote to memory of 1620 3056 Bdooajdc.exe 35 PID 3056 wrote to memory of 1620 3056 Bdooajdc.exe 35 PID 3056 wrote to memory of 1620 3056 Bdooajdc.exe 35 PID 1620 wrote to memory of 2668 1620 Cjlgiqbk.exe 36 PID 1620 wrote to memory of 2668 1620 Cjlgiqbk.exe 36 PID 1620 wrote to memory of 2668 1620 Cjlgiqbk.exe 36 PID 1620 wrote to memory of 2668 1620 Cjlgiqbk.exe 36 PID 2668 wrote to memory of 1796 2668 Cljcelan.exe 37 PID 2668 wrote to memory of 1796 2668 Cljcelan.exe 37 PID 2668 wrote to memory of 1796 2668 Cljcelan.exe 37 PID 2668 wrote to memory of 1796 2668 Cljcelan.exe 37 PID 1796 wrote to memory of 1808 1796 Ccdlbf32.exe 38 PID 1796 wrote to memory of 1808 1796 Ccdlbf32.exe 38 PID 1796 wrote to memory of 1808 1796 Ccdlbf32.exe 38 PID 1796 wrote to memory of 1808 1796 Ccdlbf32.exe 38 PID 1808 wrote to memory of 2204 1808 Cnippoha.exe 39 PID 1808 wrote to memory of 2204 1808 Cnippoha.exe 39 PID 1808 wrote to memory of 2204 1808 Cnippoha.exe 39 PID 1808 wrote to memory of 2204 1808 Cnippoha.exe 39 PID 2204 wrote to memory of 1036 2204 Ccfhhffh.exe 40 PID 2204 wrote to memory of 1036 2204 Ccfhhffh.exe 40 PID 2204 wrote to memory of 1036 2204 Ccfhhffh.exe 40 PID 2204 wrote to memory of 1036 2204 Ccfhhffh.exe 40 PID 1036 wrote to memory of 1300 1036 Chcqpmep.exe 41 PID 1036 wrote to memory of 1300 1036 Chcqpmep.exe 41 PID 1036 wrote to memory of 1300 1036 Chcqpmep.exe 41 PID 1036 wrote to memory of 1300 1036 Chcqpmep.exe 41 PID 1300 wrote to memory of 2848 1300 Cfgaiaci.exe 42 PID 1300 wrote to memory of 2848 1300 Cfgaiaci.exe 42 PID 1300 wrote to memory of 2848 1300 Cfgaiaci.exe 42 PID 1300 wrote to memory of 2848 1300 Cfgaiaci.exe 42 PID 2848 wrote to memory of 2136 2848 Chemfl32.exe 43 PID 2848 wrote to memory of 2136 2848 Chemfl32.exe 43 PID 2848 wrote to memory of 2136 2848 Chemfl32.exe 43 PID 2848 wrote to memory of 2136 2848 Chemfl32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe"C:\Users\Admin\AppData\Local\Temp\e6751eaac18e8839735ecd0496eb080d0d2a82535149ec8ee0c75b503c9ce9b9.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe33⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe36⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe37⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:696 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe39⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe40⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe41⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe42⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe43⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe44⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe45⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe47⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe49⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe54⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe55⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe58⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe59⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe65⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe66⤵PID:2788
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe67⤵PID:1776
-
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe68⤵PID:612
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe69⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe71⤵PID:1792
-
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe72⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe74⤵PID:2576
-
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe75⤵PID:2376
-
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe76⤵PID:2860
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe77⤵PID:1536
-
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe78⤵PID:1028
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe79⤵PID:996
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe81⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe82⤵PID:1048
-
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe84⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe85⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe87⤵PID:2332
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe88⤵PID:2640
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe89⤵PID:2420
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe90⤵PID:2468
-
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe93⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe94⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe96⤵PID:1820
-
C:\Windows\SysWOW64\Hjjddchg.exeC:\Windows\system32\Hjjddchg.exe97⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe98⤵PID:2808
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Iaeiieeb.exeC:\Windows\system32\Iaeiieeb.exe100⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe101⤵
- Drops file in System32 directory
PID:1280 -
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe102⤵PID:2696
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe103⤵PID:2428
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe105⤵PID:2324
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe107⤵PID:1396
-
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe109⤵PID:2792
-
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe110⤵PID:704
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe111⤵PID:1044
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe113⤵
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe114⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe115⤵PID:2584
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe116⤵PID:2544
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe119⤵PID:2844
-
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe120⤵PID:2796
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe121⤵PID:1856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-