Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 18:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe
-
Size
464KB
-
MD5
db1c3f09860c42744c11088d19e8e3a8
-
SHA1
8664b5523849e789d25b41d4b353f6c7579c9fd8
-
SHA256
31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd
-
SHA512
f589c59e01c15083afc70441dbc41de8f8fad7bba7fdc66297525ead10d4dd114cd694dc47599232b27ef1cc9724ff00b1bd9cb7392722286b1bd75f0634f60c
-
SSDEEP
6144:2IYqC89jFpebBEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:1p9j/OEVI2C4EVu2JEVcBEVI2C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahbei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqdbdbna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiamp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfbcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbiphhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmnei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjqfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obnnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lipmoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fejlbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjmjgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecpknke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqkjaifk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdkoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcembe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cancekeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefoni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gggfme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcoioabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halhfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hepgkohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Janghmia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkhpogij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagbdenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gipbck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibegfglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hebcao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfanlpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agckiqgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imdgljil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bijncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgekjgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhqefjpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgmoigj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejlbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgbhdkml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adpogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpoiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkgoke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhgdmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncaklhdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kagbdenk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apngjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhjjip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pecpknke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgcqjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghmbib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnlpohj.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/files/0x000700000002327d-5.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4296-8-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002327f-15.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023281-23.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4724-28-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023283-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023285-39.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023287-47.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4616-48-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023289-55.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002328b-62.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2192-64-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002328d-65.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002328d-70.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2984-72-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002328f-78.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4620-79-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023291-86.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3420-87-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4236-95-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023295-94.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023299-102.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/872-103-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002329b-110.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2988-112-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002329f-119.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4388-124-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232a1-126.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232a4-134.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/624-135-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232a6-142.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4456-143-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232a8-150.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2304-152-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232af-158.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3252-159-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00080000000232b2-167.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00080000000232b2-166.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3808-168-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b6-174.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b6-176.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00080000000232ab-182.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4284-183-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00090000000232ae-191.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00090000000232b5-198.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b8-207.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2244-212-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232ba-214.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232bc-223.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232be-230.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232c0-237.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3192-239-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232c2-245.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232c4-253.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4880-261-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232d6-298.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4396-322-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00090000000232d8-323.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5316-375-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232f2-376.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5448-399-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5560-418-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5652-421-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5752-440-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 4296 Mgeakekd.exe 4532 Nnafno32.exe 4724 Nncccnol.exe 4124 Nglhld32.exe 1748 Npgmpf32.exe 4616 Ngqagcag.exe 4116 Ogcnmc32.exe 2192 Onocomdo.exe 2984 Ppgegd32.exe 4620 Pagbaglh.exe 3420 Ppolhcnm.exe 4236 Qacameaj.exe 872 Cdbpgl32.exe 2988 Dnonkq32.exe 4388 Ddkbmj32.exe 3700 Eqdpgk32.exe 624 Eoepebho.exe 4456 Ebifmm32.exe 2304 Ekajec32.exe 3252 Fgjhpcmo.exe 3808 Filapfbo.exe 3140 Fqgedh32.exe 4284 Gegkpf32.exe 2976 Ganldgib.exe 1104 Gbnhoj32.exe 2244 Ggkqgaol.exe 4760 Geoapenf.exe 800 Hpfbcn32.exe 4912 Hnlodjpa.exe 3192 Halhfe32.exe 2400 Hpmhdmea.exe 1972 Iacngdgj.exe 4880 Ibegfglj.exe 2440 Ibjqaf32.exe 1548 Jidinqpb.exe 3128 Jekjcaef.exe 2676 Jbojlfdp.exe 452 Jpbjfjci.exe 4488 Jimldogg.exe 1180 Jahqiaeb.exe 1408 Klpakj32.exe 3324 Keifdpif.exe 4396 Klbnajqc.exe 4988 Kcoccc32.exe 3816 Kpccmhdg.exe 4228 Lhnhajba.exe 5124 Lohqnd32.exe 5156 Lhqefjpo.exe 5200 Lakfeodm.exe 5236 Lplfcf32.exe 5276 Mjggal32.exe 5316 Mcoljagj.exe 5368 Mhoahh32.exe 5408 Mjnnbk32.exe 5448 Mhckcgpj.exe 5492 Njbgmjgl.exe 5560 Nqmojd32.exe 5608 Noblkqca.exe 5652 Njgqhicg.exe 5712 Nqcejcha.exe 5752 Nmjfodne.exe 5792 Obgohklm.exe 5840 Ofegni32.exe 5880 Oqklkbbi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Obpkcc32.exe Ohhfknjf.exe File opened for modification C:\Windows\SysWOW64\Qifbll32.exe Pkabbgol.exe File created C:\Windows\SysWOW64\Gkomkdlk.dll Kmncif32.exe File created C:\Windows\SysWOW64\Ellbmedl.dll Chkjpm32.exe File created C:\Windows\SysWOW64\Mgeakekd.exe 31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe File created C:\Windows\SysWOW64\Ebifmm32.exe Eoepebho.exe File created C:\Windows\SysWOW64\Gfbhcl32.dll Dcphdqmj.exe File created C:\Windows\SysWOW64\Fglnkm32.exe Fjhmbihg.exe File created C:\Windows\SysWOW64\Lfjchn32.exe Kmaooihb.exe File created C:\Windows\SysWOW64\Mahklf32.exe Mllccpfj.exe File opened for modification C:\Windows\SysWOW64\Akhaipei.exe Aoapcood.exe File created C:\Windows\SysWOW64\Eqdpgk32.exe Ddkbmj32.exe File opened for modification C:\Windows\SysWOW64\Ganldgib.exe Gegkpf32.exe File opened for modification C:\Windows\SysWOW64\Klbnajqc.exe Keifdpif.exe File created C:\Windows\SysWOW64\Afjpan32.dll Bmidnm32.exe File opened for modification C:\Windows\SysWOW64\Alpnde32.exe Aeffgkkp.exe File created C:\Windows\SysWOW64\Nmnnlk32.exe Nhafcd32.exe File created C:\Windows\SysWOW64\Npadcfnl.exe Ngipjp32.exe File created C:\Windows\SysWOW64\Ecgodpgb.exe Eafbmgad.exe File created C:\Windows\SysWOW64\Lhpnlclc.exe Lbcedmnl.exe File created C:\Windows\SysWOW64\Llngbabj.exe Lahbei32.exe File created C:\Windows\SysWOW64\Lamlphoo.exe Lefkkg32.exe File created C:\Windows\SysWOW64\Cfedmfqd.exe Cpklql32.exe File opened for modification C:\Windows\SysWOW64\Ohaokbfd.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Glngep32.exe Gojgkl32.exe File created C:\Windows\SysWOW64\Keghocao.exe Knmpbi32.exe File created C:\Windows\SysWOW64\Gfjmfj32.dll Lmgfod32.exe File opened for modification C:\Windows\SysWOW64\Phlikg32.exe Pocdba32.exe File created C:\Windows\SysWOW64\Oidfpeba.dll Pdbiphhi.exe File opened for modification C:\Windows\SysWOW64\Njbgmjgl.exe Mhckcgpj.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Ampaho32.exe File created C:\Windows\SysWOW64\Dcihengm.dll Imfdaigj.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gegkpf32.exe File created C:\Windows\SysWOW64\Bbefln32.exe Blknpdho.exe File opened for modification C:\Windows\SysWOW64\Edakimoo.exe Eilfldoi.exe File opened for modification C:\Windows\SysWOW64\Jjefao32.exe Hadcce32.exe File opened for modification C:\Windows\SysWOW64\Mknlef32.exe Maehlqch.exe File created C:\Windows\SysWOW64\Hghklqmm.dll Kcoccc32.exe File opened for modification C:\Windows\SysWOW64\Fkjfakng.exe Fqdbdbna.exe File created C:\Windows\SysWOW64\Heepfn32.exe Hnkhjdle.exe File opened for modification C:\Windows\SysWOW64\Ecanojgl.exe Emeffcid.exe File opened for modification C:\Windows\SysWOW64\Bbefln32.exe Blknpdho.exe File created C:\Windows\SysWOW64\Inhmqlmj.exe Icciccmd.exe File created C:\Windows\SysWOW64\Ephgolkn.dll Bijncb32.exe File created C:\Windows\SysWOW64\Mllccpfj.exe Mafofggd.exe File opened for modification C:\Windows\SysWOW64\Apngjd32.exe Aidomjaf.exe File created C:\Windows\SysWOW64\Dbebgj32.dll Bbefln32.exe File opened for modification C:\Windows\SysWOW64\Hgbonm32.exe Hgkimn32.exe File created C:\Windows\SysWOW64\Nekfnbbc.dll Dngobghg.exe File created C:\Windows\SysWOW64\Qgehml32.exe Pahpee32.exe File opened for modification C:\Windows\SysWOW64\Gojgkl32.exe Gaffbg32.exe File opened for modification C:\Windows\SysWOW64\Gnfooe32.exe Gcqjal32.exe File created C:\Windows\SysWOW64\Hiocnbpm.dll Inkaqb32.exe File created C:\Windows\SysWOW64\Mdbnmbhj.exe Mlgjhp32.exe File opened for modification C:\Windows\SysWOW64\Odgjdibf.exe Ohpiphlb.exe File created C:\Windows\SysWOW64\Addnfnhd.dll Iebfmfdg.exe File created C:\Windows\SysWOW64\Kfidgk32.exe Keghocao.exe File opened for modification C:\Windows\SysWOW64\Biedhclh.exe Agckiqgg.exe File created C:\Windows\SysWOW64\Hgbonm32.exe Hgkimn32.exe File created C:\Windows\SysWOW64\Opnaqk32.dll Gbnhoj32.exe File created C:\Windows\SysWOW64\Acccdj32.exe Amikgpcc.exe File created C:\Windows\SysWOW64\Ajgqdaoi.dll Fkcpql32.exe File created C:\Windows\SysWOW64\Ookhfigk.exe Ofbdncaj.exe File created C:\Windows\SysWOW64\Lahbei32.exe Lhpnlclc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5332 6736 WerFault.exe 575 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biljib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhqefjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lplfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lplfcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igjbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll" Lhpnlclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhaqgln.dll" Jndmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqampo.dll" Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mfhpilbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mafofggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohcmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkloka32.dll" Hgebnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khabdi32.dll" Icbbimih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imjgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmmedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcjmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjaeema.dll" Ookhfigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gphddlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mllccpfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjoeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklmbbeg.dll" Hadcce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkhpogij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jidinqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ampaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncmaai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmlpjdgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Babcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaaldjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hqkjaifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pldnki32.dll" Jjakkmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eeomfioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ecdbop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glchjedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ggkqgaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcneeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofhqmba.dll" Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolqioah.dll" Dbbdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkhpogij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gegkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnehj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pecpknke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkoqn32.dll" Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjkkjkc.dll" Lokldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bqnemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aochpj32.dll" Kcikfcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdinefi.dll" Eqdpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caekaaoh.dll" Mlgjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cboibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcaeea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjpgqp.dll" Biljib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnpbgajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mhckcgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjfdfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qnamofdf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1028 wrote to memory of 4296 1028 31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe 95 PID 1028 wrote to memory of 4296 1028 31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe 95 PID 1028 wrote to memory of 4296 1028 31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe 95 PID 4296 wrote to memory of 4532 4296 Mgeakekd.exe 96 PID 4296 wrote to memory of 4532 4296 Mgeakekd.exe 96 PID 4296 wrote to memory of 4532 4296 Mgeakekd.exe 96 PID 4532 wrote to memory of 4724 4532 Nnafno32.exe 97 PID 4532 wrote to memory of 4724 4532 Nnafno32.exe 97 PID 4532 wrote to memory of 4724 4532 Nnafno32.exe 97 PID 4724 wrote to memory of 4124 4724 Nncccnol.exe 98 PID 4724 wrote to memory of 4124 4724 Nncccnol.exe 98 PID 4724 wrote to memory of 4124 4724 Nncccnol.exe 98 PID 4124 wrote to memory of 1748 4124 Nglhld32.exe 99 PID 4124 wrote to memory of 1748 4124 Nglhld32.exe 99 PID 4124 wrote to memory of 1748 4124 Nglhld32.exe 99 PID 1748 wrote to memory of 4616 1748 Npgmpf32.exe 100 PID 1748 wrote to memory of 4616 1748 Npgmpf32.exe 100 PID 1748 wrote to memory of 4616 1748 Npgmpf32.exe 100 PID 4616 wrote to memory of 4116 4616 Ngqagcag.exe 101 PID 4616 wrote to memory of 4116 4616 Ngqagcag.exe 101 PID 4616 wrote to memory of 4116 4616 Ngqagcag.exe 101 PID 4116 wrote to memory of 2192 4116 Ogcnmc32.exe 102 PID 4116 wrote to memory of 2192 4116 Ogcnmc32.exe 102 PID 4116 wrote to memory of 2192 4116 Ogcnmc32.exe 102 PID 2192 wrote to memory of 2984 2192 Onocomdo.exe 103 PID 2192 wrote to memory of 2984 2192 Onocomdo.exe 103 PID 2192 wrote to memory of 2984 2192 Onocomdo.exe 103 PID 2984 wrote to memory of 4620 2984 Ppgegd32.exe 104 PID 2984 wrote to memory of 4620 2984 Ppgegd32.exe 104 PID 2984 wrote to memory of 4620 2984 Ppgegd32.exe 104 PID 4620 wrote to memory of 3420 4620 Pagbaglh.exe 105 PID 4620 wrote to memory of 3420 4620 Pagbaglh.exe 105 PID 4620 wrote to memory of 3420 4620 Pagbaglh.exe 105 PID 3420 wrote to memory of 4236 3420 Ppolhcnm.exe 106 PID 3420 wrote to memory of 4236 3420 Ppolhcnm.exe 106 PID 3420 wrote to memory of 4236 3420 Ppolhcnm.exe 106 PID 4236 wrote to memory of 872 4236 Qacameaj.exe 108 PID 4236 wrote to memory of 872 4236 Qacameaj.exe 108 PID 4236 wrote to memory of 872 4236 Qacameaj.exe 108 PID 872 wrote to memory of 2988 872 Cdbpgl32.exe 110 PID 872 wrote to memory of 2988 872 Cdbpgl32.exe 110 PID 872 wrote to memory of 2988 872 Cdbpgl32.exe 110 PID 2988 wrote to memory of 4388 2988 Dnonkq32.exe 111 PID 2988 wrote to memory of 4388 2988 Dnonkq32.exe 111 PID 2988 wrote to memory of 4388 2988 Dnonkq32.exe 111 PID 4388 wrote to memory of 3700 4388 Ddkbmj32.exe 112 PID 4388 wrote to memory of 3700 4388 Ddkbmj32.exe 112 PID 4388 wrote to memory of 3700 4388 Ddkbmj32.exe 112 PID 3700 wrote to memory of 624 3700 Eqdpgk32.exe 113 PID 3700 wrote to memory of 624 3700 Eqdpgk32.exe 113 PID 3700 wrote to memory of 624 3700 Eqdpgk32.exe 113 PID 624 wrote to memory of 4456 624 Eoepebho.exe 114 PID 624 wrote to memory of 4456 624 Eoepebho.exe 114 PID 624 wrote to memory of 4456 624 Eoepebho.exe 114 PID 4456 wrote to memory of 2304 4456 Ebifmm32.exe 115 PID 4456 wrote to memory of 2304 4456 Ebifmm32.exe 115 PID 4456 wrote to memory of 2304 4456 Ebifmm32.exe 115 PID 2304 wrote to memory of 3252 2304 Ekajec32.exe 117 PID 2304 wrote to memory of 3252 2304 Ekajec32.exe 117 PID 2304 wrote to memory of 3252 2304 Ekajec32.exe 117 PID 3252 wrote to memory of 3808 3252 Fgjhpcmo.exe 119 PID 3252 wrote to memory of 3808 3252 Fgjhpcmo.exe 119 PID 3252 wrote to memory of 3808 3252 Fgjhpcmo.exe 119 PID 3808 wrote to memory of 3140 3808 Filapfbo.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe"C:\Users\Admin\AppData\Local\Temp\31f8e9ff93bd9b7ba170cc57468a3681fc11133fc36d816170f56f3a868c9bcd.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Pagbaglh.exeC:\Windows\system32\Pagbaglh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Ppolhcnm.exeC:\Windows\system32\Ppolhcnm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Cdbpgl32.exeC:\Windows\system32\Cdbpgl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Eoepebho.exeC:\Windows\system32\Eoepebho.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Ebifmm32.exeC:\Windows\system32\Ebifmm32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe23⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Ganldgib.exeC:\Windows\system32\Ganldgib.exe25⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Ggkqgaol.exeC:\Windows\system32\Ggkqgaol.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe28⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe30⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe32⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe33⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ibegfglj.exeC:\Windows\system32\Ibegfglj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Iialhaad.exeC:\Windows\system32\Iialhaad.exe35⤵PID:2316
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe36⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Jekjcaef.exeC:\Windows\system32\Jekjcaef.exe38⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe39⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe41⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\Jahqiaeb.exeC:\Windows\system32\Jahqiaeb.exe42⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Klpakj32.exeC:\Windows\system32\Klpakj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Keifdpif.exeC:\Windows\system32\Keifdpif.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe45⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe47⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Lhnhajba.exeC:\Windows\system32\Lhnhajba.exe48⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\SysWOW64\Lohqnd32.exeC:\Windows\system32\Lohqnd32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5124 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5156 -
C:\Windows\SysWOW64\Lakfeodm.exeC:\Windows\system32\Lakfeodm.exe51⤵
- Executes dropped EXE
PID:5200 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Mjggal32.exeC:\Windows\system32\Mjggal32.exe53⤵
- Executes dropped EXE
PID:5276 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe54⤵
- Executes dropped EXE
PID:5316 -
C:\Windows\SysWOW64\Mhoahh32.exeC:\Windows\system32\Mhoahh32.exe55⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Mjnnbk32.exeC:\Windows\system32\Mjnnbk32.exe56⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Mhckcgpj.exeC:\Windows\system32\Mhckcgpj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5448 -
C:\Windows\SysWOW64\Njbgmjgl.exeC:\Windows\system32\Njbgmjgl.exe58⤵
- Executes dropped EXE
PID:5492 -
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe59⤵
- Executes dropped EXE
PID:5560 -
C:\Windows\SysWOW64\Noblkqca.exeC:\Windows\system32\Noblkqca.exe60⤵
- Executes dropped EXE
PID:5608 -
C:\Windows\SysWOW64\Njgqhicg.exeC:\Windows\system32\Njgqhicg.exe61⤵
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\Nqcejcha.exeC:\Windows\system32\Nqcejcha.exe62⤵
- Executes dropped EXE
PID:5712 -
C:\Windows\SysWOW64\Nmjfodne.exeC:\Windows\system32\Nmjfodne.exe63⤵
- Executes dropped EXE
PID:5752 -
C:\Windows\SysWOW64\Obgohklm.exeC:\Windows\system32\Obgohklm.exe64⤵
- Executes dropped EXE
PID:5792 -
C:\Windows\SysWOW64\Ofegni32.exeC:\Windows\system32\Ofegni32.exe65⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe66⤵
- Executes dropped EXE
PID:5880 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe67⤵PID:5920
-
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Oflmnh32.exeC:\Windows\system32\Oflmnh32.exe69⤵PID:6004
-
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe70⤵PID:6060
-
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe71⤵PID:6100
-
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe72⤵PID:3992
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe73⤵PID:5188
-
C:\Windows\SysWOW64\Qppaclio.exeC:\Windows\system32\Qppaclio.exe74⤵PID:4764
-
C:\Windows\SysWOW64\Qmdblp32.exeC:\Windows\system32\Qmdblp32.exe75⤵PID:5260
-
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe76⤵PID:4252
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe77⤵PID:5388
-
C:\Windows\SysWOW64\Amikgpcc.exeC:\Windows\system32\Amikgpcc.exe78⤵
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Acccdj32.exeC:\Windows\system32\Acccdj32.exe79⤵PID:5620
-
C:\Windows\SysWOW64\Adepji32.exeC:\Windows\system32\Adepji32.exe80⤵PID:5680
-
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5904 -
C:\Windows\SysWOW64\Babcil32.exeC:\Windows\system32\Babcil32.exe84⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe85⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe86⤵PID:5184
-
C:\Windows\SysWOW64\Cmnnimak.exeC:\Windows\system32\Cmnnimak.exe87⤵PID:5252
-
C:\Windows\SysWOW64\Cgfbbb32.exeC:\Windows\system32\Cgfbbb32.exe88⤵PID:5392
-
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe89⤵PID:5596
-
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe90⤵PID:5736
-
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe92⤵PID:5968
-
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe93⤵PID:3396
-
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe94⤵PID:5324
-
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe95⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe96⤵PID:5876
-
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe97⤵PID:6036
-
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe98⤵PID:5500
-
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe99⤵PID:5972
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe100⤵PID:5464
-
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe101⤵PID:5504
-
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe102⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe103⤵PID:6192
-
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6232 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe105⤵PID:6272
-
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6308 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe107⤵
- Drops file in System32 directory
PID:6352 -
C:\Windows\SysWOW64\Ecgodpgb.exeC:\Windows\system32\Ecgodpgb.exe108⤵PID:6392
-
C:\Windows\SysWOW64\Ejagaj32.exeC:\Windows\system32\Ejagaj32.exe109⤵PID:6436
-
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6484 -
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe111⤵
- Drops file in System32 directory
PID:6528 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe112⤵
- Modifies registry class
PID:6572 -
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe113⤵
- Drops file in System32 directory
PID:6636 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe114⤵PID:6688
-
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6732 -
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe116⤵
- Modifies registry class
PID:6776 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe117⤵PID:6828
-
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe118⤵PID:6872
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe119⤵PID:6916
-
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe120⤵
- Modifies registry class
PID:6960 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe121⤵PID:7012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-