Analysis
-
max time kernel
93s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Padodor.SK.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Padodor.SK.exe
-
Size
92KB
-
MD5
b7709062c5062fefe2a3c2f532074c30
-
SHA1
f7d709012a4b882e735cab109b85fb28ad69d5f4
-
SHA256
038815c68dd463ba79e60abfeb223dd593323d6a7b3ac1ccf49969cabedba702
-
SHA512
af80fb5b8d7b43cc3f2bf0a22dd13de93095c11c8cab5daa5c0d0be805a882e06252a42ce83cdde2d51307777903698e1146d3a4a22216e4ee73c8fe68939230
-
SSDEEP
1536:Y0mR0ETedBkJeC7ZcfbvH5f16rod97zpTLOunKQrUoR24HsUs:Yz7V7iDvZforQTLk6THsR
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgoeep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojanpej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neppokal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eibfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfnofpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiajmod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcphab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enbjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbbmmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbbmnnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcjkfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejalcgkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcogje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdinljnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmmqhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eemgplno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fggocmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmhand32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pakllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjjdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqqdeod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gilapgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhnbhok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkleeplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlglfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdgfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clchbqoo.exe -
Executes dropped EXE 64 IoCs
pid Process 4780 Eglgbdep.exe 5060 Eobocb32.exe 3976 Eemgplno.exe 4456 Egnchd32.exe 4288 Eoekia32.exe 3644 Feocelll.exe 740 Fgppmd32.exe 1724 Foghnabl.exe 1664 Fafdkmap.exe 716 Fknicb32.exe 2260 Fnmepn32.exe 2336 Fdfmlhna.exe 1952 Fgeihcme.exe 64 Fdijbg32.exe 4936 Fkcboack.exe 2264 Fehfljca.exe 1332 Fhgbhfbe.exe 576 Gekcaj32.exe 3800 Gglpibgm.exe 4376 Gnfhfl32.exe 3664 Ggnlobej.exe 744 Gnhdkl32.exe 1504 Gdbmhf32.exe 3992 Gkleeplq.exe 2816 Gafmaj32.exe 4240 Ghpendjj.exe 2168 Gnmnfkia.exe 3056 Gdgfce32.exe 4172 Ggeboaob.exe 3584 Hnoklk32.exe 3524 Hheoid32.exe 4848 Hkckeo32.exe 1596 Hnagak32.exe 1968 Hfipbh32.exe 2088 Hhgloc32.exe 1204 Hgjljpkm.exe 4404 Hoadkn32.exe 4104 Hbpphi32.exe 3764 Hdnldd32.exe 208 Hglipp32.exe 3436 Hkhdqoac.exe 3484 Hbbmmi32.exe 4864 Hdpiid32.exe 4896 Hgoeep32.exe 3376 Hninbj32.exe 1380 Hfpecg32.exe 412 Hdbfodfa.exe 5088 Inkjhi32.exe 1036 Iokgal32.exe 4232 Idgojc32.exe 3320 Iomcgl32.exe 2844 Ighhln32.exe 4424 Ibnligoc.exe 4704 Ifihif32.exe 4384 Ioambknl.exe 2860 Ifleoe32.exe 924 Igmagnkg.exe 2396 Jbbfdfkn.exe 4620 Jgonlm32.exe 1772 Joffnk32.exe 2932 Jecofa32.exe 2412 Jgakbm32.exe 1932 Joiccj32.exe 3168 Jiaglp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Gmimai32.exe File created C:\Windows\SysWOW64\Pgihfj32.exe Poaqemao.exe File opened for modification C:\Windows\SysWOW64\Gnjjfegi.exe Ginnfgop.exe File opened for modification C:\Windows\SysWOW64\Indfca32.exe Ikejgf32.exe File created C:\Windows\SysWOW64\Jklphekp.exe Jdbhkk32.exe File created C:\Windows\SysWOW64\Hkicaahi.exe Hcblpdgg.exe File opened for modification C:\Windows\SysWOW64\Meiioonj.exe Mnpabe32.exe File created C:\Windows\SysWOW64\Odhifjkg.exe Najmjokc.exe File created C:\Windows\SysWOW64\Jblpmmae.dll Nhbfff32.exe File created C:\Windows\SysWOW64\Hpdclcbj.dll Fkihnmhj.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Ebejfk32.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bdickcpo.exe File created C:\Windows\SysWOW64\Gmnagpbq.dll Jpkphjeb.exe File created C:\Windows\SysWOW64\Epaobqhf.dll Gilapgqb.exe File created C:\Windows\SysWOW64\Lpmkebjc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cklhcfle.exe Process not Found File created C:\Windows\SysWOW64\Hoclopne.exe Hmbphg32.exe File opened for modification C:\Windows\SysWOW64\Ogjdmbil.exe Process not Found File opened for modification C:\Windows\SysWOW64\Napjdpcn.exe Njfagf32.exe File created C:\Windows\SysWOW64\Hlgdjg32.dll Joahqn32.exe File opened for modification C:\Windows\SysWOW64\Lpkiph32.exe Kiaqcnpb.exe File opened for modification C:\Windows\SysWOW64\Ohiemobf.exe Oaompd32.exe File opened for modification C:\Windows\SysWOW64\Bmlilh32.exe Bjnmpl32.exe File created C:\Windows\SysWOW64\Aiffheej.dll Bkobmnka.exe File created C:\Windows\SysWOW64\Enjgeopm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ggnlobej.exe Gnfhfl32.exe File created C:\Windows\SysWOW64\Lnnikdnj.exe Lpkiph32.exe File created C:\Windows\SysWOW64\Ehighp32.dll Igedlh32.exe File opened for modification C:\Windows\SysWOW64\Hoadkn32.exe Hgjljpkm.exe File created C:\Windows\SysWOW64\Pfogpg32.dll Ejbbmnnb.exe File created C:\Windows\SysWOW64\Hgkkkcbc.exe Hpabni32.exe File created C:\Windows\SysWOW64\Ohnebd32.exe Ogmijllo.exe File opened for modification C:\Windows\SysWOW64\Ppamophb.exe Pleaoa32.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qjnkcekm.exe File opened for modification C:\Windows\SysWOW64\Aijnep32.exe Ajhniccb.exe File created C:\Windows\SysWOW64\Coohhlpe.exe Blqllqqa.exe File opened for modification C:\Windows\SysWOW64\Fbpchb32.exe Fpbflg32.exe File opened for modification C:\Windows\SysWOW64\Nqpcjj32.exe Process not Found File created C:\Windows\SysWOW64\Ggnjnq32.dll Efkphnbd.exe File created C:\Windows\SysWOW64\Ihbdplfi.exe Idghpmnp.exe File created C:\Windows\SysWOW64\Eehicoel.exe Ennqfenp.exe File opened for modification C:\Windows\SysWOW64\Gnfhfl32.exe Gglpibgm.exe File created C:\Windows\SysWOW64\Cdjnam32.dll Aggegh32.exe File created C:\Windows\SysWOW64\Ginnfgop.exe Gklnjj32.exe File opened for modification C:\Windows\SysWOW64\Pknqoc32.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Gglpibgm.exe Gekcaj32.exe File created C:\Windows\SysWOW64\Mjnafk32.dll Mnnkgl32.exe File created C:\Windows\SysWOW64\Ljfhqh32.exe Lggldm32.exe File created C:\Windows\SysWOW64\Omqmop32.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Jbidda32.dll Bjlgdc32.exe File created C:\Windows\SysWOW64\Imnocf32.exe Iibccgep.exe File created C:\Windows\SysWOW64\Jnlkedai.exe Jedccfqg.exe File opened for modification C:\Windows\SysWOW64\Ojfcdnjc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qpcecb32.exe Process not Found File created C:\Windows\SysWOW64\Inkjhi32.exe Hdbfodfa.exe File opened for modification C:\Windows\SysWOW64\Dapkni32.exe Diicml32.exe File created C:\Windows\SysWOW64\Fggocmhf.exe Fajgkfio.exe File opened for modification C:\Windows\SysWOW64\Afkknogn.exe Acmobchj.exe File created C:\Windows\SysWOW64\Abdkep32.dll Ekodjiol.exe File created C:\Windows\SysWOW64\Pngfalmm.dll Fpjcgm32.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Klhnfo32.exe File created C:\Windows\SysWOW64\Bhpofl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe Process not Found File created C:\Windows\SysWOW64\Aieeeflh.dll Ogfcjm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6944 7244 Process not Found 1234 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifleoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Padodor.SK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbklm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlmkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcqiope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpdblmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoogi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miofjepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objpoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcggio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbnmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfpckhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmagnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjgaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peieba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcicklnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcdqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoknihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgfce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkihnmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hninbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhiajmod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgafjpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oondnini.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkbik32.dll" Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkmdecbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nliaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqfngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gehbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inkjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcjmel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfkbf32.dll" Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Odoogi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cioilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omjpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknajfhe.dll" Fmhdkknd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbeloo32.dll" Epjajeqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgdfa32.dll" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbekbm32.dll" Liqihglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll" Jgpfbjlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiaoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgqfdnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lggldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimocoao.dll" Hglipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfpecg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpeaedjn.dll" Hdmein32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnjdgj.dll" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nondlbmd.dll" Blhpqhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbchba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnhqepf.dll" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Gppcmeem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnoknihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjohde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmojkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhnlkfpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phganm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifihif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Miomdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdbmhf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4780 4916 Backdoor.Win32.Padodor.SK.exe 82 PID 4916 wrote to memory of 4780 4916 Backdoor.Win32.Padodor.SK.exe 82 PID 4916 wrote to memory of 4780 4916 Backdoor.Win32.Padodor.SK.exe 82 PID 4780 wrote to memory of 5060 4780 Eglgbdep.exe 83 PID 4780 wrote to memory of 5060 4780 Eglgbdep.exe 83 PID 4780 wrote to memory of 5060 4780 Eglgbdep.exe 83 PID 5060 wrote to memory of 3976 5060 Eobocb32.exe 84 PID 5060 wrote to memory of 3976 5060 Eobocb32.exe 84 PID 5060 wrote to memory of 3976 5060 Eobocb32.exe 84 PID 3976 wrote to memory of 4456 3976 Eemgplno.exe 85 PID 3976 wrote to memory of 4456 3976 Eemgplno.exe 85 PID 3976 wrote to memory of 4456 3976 Eemgplno.exe 85 PID 4456 wrote to memory of 4288 4456 Egnchd32.exe 86 PID 4456 wrote to memory of 4288 4456 Egnchd32.exe 86 PID 4456 wrote to memory of 4288 4456 Egnchd32.exe 86 PID 4288 wrote to memory of 3644 4288 Eoekia32.exe 87 PID 4288 wrote to memory of 3644 4288 Eoekia32.exe 87 PID 4288 wrote to memory of 3644 4288 Eoekia32.exe 87 PID 3644 wrote to memory of 740 3644 Feocelll.exe 88 PID 3644 wrote to memory of 740 3644 Feocelll.exe 88 PID 3644 wrote to memory of 740 3644 Feocelll.exe 88 PID 740 wrote to memory of 1724 740 Fgppmd32.exe 89 PID 740 wrote to memory of 1724 740 Fgppmd32.exe 89 PID 740 wrote to memory of 1724 740 Fgppmd32.exe 89 PID 1724 wrote to memory of 1664 1724 Foghnabl.exe 90 PID 1724 wrote to memory of 1664 1724 Foghnabl.exe 90 PID 1724 wrote to memory of 1664 1724 Foghnabl.exe 90 PID 1664 wrote to memory of 716 1664 Fafdkmap.exe 91 PID 1664 wrote to memory of 716 1664 Fafdkmap.exe 91 PID 1664 wrote to memory of 716 1664 Fafdkmap.exe 91 PID 716 wrote to memory of 2260 716 Fknicb32.exe 92 PID 716 wrote to memory of 2260 716 Fknicb32.exe 92 PID 716 wrote to memory of 2260 716 Fknicb32.exe 92 PID 2260 wrote to memory of 2336 2260 Fnmepn32.exe 93 PID 2260 wrote to memory of 2336 2260 Fnmepn32.exe 93 PID 2260 wrote to memory of 2336 2260 Fnmepn32.exe 93 PID 2336 wrote to memory of 1952 2336 Fdfmlhna.exe 94 PID 2336 wrote to memory of 1952 2336 Fdfmlhna.exe 94 PID 2336 wrote to memory of 1952 2336 Fdfmlhna.exe 94 PID 1952 wrote to memory of 64 1952 Fgeihcme.exe 95 PID 1952 wrote to memory of 64 1952 Fgeihcme.exe 95 PID 1952 wrote to memory of 64 1952 Fgeihcme.exe 95 PID 64 wrote to memory of 4936 64 Fdijbg32.exe 96 PID 64 wrote to memory of 4936 64 Fdijbg32.exe 96 PID 64 wrote to memory of 4936 64 Fdijbg32.exe 96 PID 4936 wrote to memory of 2264 4936 Fkcboack.exe 97 PID 4936 wrote to memory of 2264 4936 Fkcboack.exe 97 PID 4936 wrote to memory of 2264 4936 Fkcboack.exe 97 PID 2264 wrote to memory of 1332 2264 Fehfljca.exe 98 PID 2264 wrote to memory of 1332 2264 Fehfljca.exe 98 PID 2264 wrote to memory of 1332 2264 Fehfljca.exe 98 PID 1332 wrote to memory of 576 1332 Fhgbhfbe.exe 99 PID 1332 wrote to memory of 576 1332 Fhgbhfbe.exe 99 PID 1332 wrote to memory of 576 1332 Fhgbhfbe.exe 99 PID 576 wrote to memory of 3800 576 Gekcaj32.exe 100 PID 576 wrote to memory of 3800 576 Gekcaj32.exe 100 PID 576 wrote to memory of 3800 576 Gekcaj32.exe 100 PID 3800 wrote to memory of 4376 3800 Gglpibgm.exe 101 PID 3800 wrote to memory of 4376 3800 Gglpibgm.exe 101 PID 3800 wrote to memory of 4376 3800 Gglpibgm.exe 101 PID 4376 wrote to memory of 3664 4376 Gnfhfl32.exe 102 PID 4376 wrote to memory of 3664 4376 Gnfhfl32.exe 102 PID 4376 wrote to memory of 3664 4376 Gnfhfl32.exe 102 PID 3664 wrote to memory of 744 3664 Ggnlobej.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Fgppmd32.exeC:\Windows\system32\Fgppmd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Fgeihcme.exeC:\Windows\system32\Fgeihcme.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe23⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe26⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe27⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe28⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe30⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe32⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe33⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe34⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe35⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe36⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe38⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Hbpphi32.exeC:\Windows\system32\Hbpphi32.exe39⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe40⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Hglipp32.exeC:\Windows\system32\Hglipp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:208 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe44⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:412 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe50⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe51⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe52⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe53⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe54⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:4704 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe56⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ifleoe32.exeC:\Windows\system32\Ifleoe32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe59⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe60⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe61⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe62⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe63⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe64⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe65⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe66⤵
- Drops file in System32 directory
PID:4380 -
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe67⤵PID:1316
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe68⤵PID:628
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe69⤵PID:1648
-
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe70⤵PID:4080
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe71⤵PID:4420
-
C:\Windows\SysWOW64\Kppici32.exeC:\Windows\system32\Kppici32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe73⤵PID:516
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe74⤵PID:1960
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe76⤵PID:4460
-
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe77⤵PID:2320
-
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe78⤵PID:4592
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe79⤵PID:2328
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe80⤵PID:400
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe81⤵PID:4060
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe82⤵PID:2516
-
C:\Windows\SysWOW64\Kfqgab32.exeC:\Windows\system32\Kfqgab32.exe83⤵PID:2880
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe84⤵PID:2436
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe85⤵PID:4792
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe86⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe88⤵PID:2452
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe89⤵PID:2192
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe90⤵PID:692
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe91⤵PID:4508
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe92⤵PID:4788
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe93⤵PID:5104
-
C:\Windows\SysWOW64\Lfjjga32.exeC:\Windows\system32\Lfjjga32.exe94⤵PID:4644
-
C:\Windows\SysWOW64\Lihfcm32.exeC:\Windows\system32\Lihfcm32.exe95⤵PID:3040
-
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe96⤵PID:5044
-
C:\Windows\SysWOW64\Lbqklb32.exeC:\Windows\system32\Lbqklb32.exe97⤵PID:2528
-
C:\Windows\SysWOW64\Leoghn32.exeC:\Windows\system32\Leoghn32.exe98⤵PID:4808
-
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe99⤵PID:4660
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe100⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe101⤵
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe102⤵PID:4044
-
C:\Windows\SysWOW64\Mhppji32.exeC:\Windows\system32\Mhppji32.exe103⤵PID:2552
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe104⤵PID:4940
-
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe105⤵PID:3888
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe106⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe107⤵PID:4552
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe108⤵PID:4020
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe109⤵
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe110⤵PID:4416
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe111⤵PID:4312
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe112⤵PID:4536
-
C:\Windows\SysWOW64\Mehjol32.exeC:\Windows\system32\Mehjol32.exe113⤵PID:3268
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe114⤵PID:3044
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe116⤵PID:2304
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe117⤵PID:5128
-
C:\Windows\SysWOW64\Mbognp32.exeC:\Windows\system32\Mbognp32.exe118⤵PID:5196
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe119⤵PID:5240
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe120⤵PID:5284
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe122⤵PID:5396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-