Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 21:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe
-
Size
243KB
-
MD5
3510f11c92b513efe9b497cb133d672b
-
SHA1
7c5a111cb113471e5aa2e8d1cc15437f0fe1fd10
-
SHA256
6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09
-
SHA512
99c9115fc5576884c713d300867a1d36b1787e64478a95d3de3a9ef8c694201ca94211af57478dee761110ffb7d609a73b8d692ec571f97075d24e6964905666
-
SSDEEP
3072:RRPG9HpaXprXKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:7G9JaXtXKzwdlU2zlNgwTnAWtlhjQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehhgfdho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjqeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgkql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdffocib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpljkdig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpojcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcklgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqklmpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlddi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcqjfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipqnahgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpaghf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbkamnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpgkkioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopldmcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kibnhjgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iffmccbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imihfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpojcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoifcnid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcekkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpocjdld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkdan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfboafl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpnlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmofolg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijdhiaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpajh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcakg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcedaheh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofinnkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjfnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlmkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodeolof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjbcbqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laopdgcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcpllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjocgdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbcbqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmaioo32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral2/files/0x000700000001ebc7-8.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000001ebc7-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a0000000231c0-16.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231cc-23.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231cf-31.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231cf-26.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231cf-32.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231d5-54.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3912-59-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231d5-53.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231d7-62.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231d7-63.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231db-79.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1852-88-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231e3-111.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231e5-119.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231e3-113.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1860-112-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231e7-128.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2416-137-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231eb-145.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231f3-176.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00090000000231c7-199.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231fa-209.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231fc-216.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000231fe-223.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023202-233.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023204-247.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023206-256.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3476-285-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4684-321-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322f-375.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023235-393.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4256-449-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023282-618.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b4-770.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023329-1118.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002335a-1250.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233b4-1496.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233b9-1509.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002339e-1434.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002339a-1424.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023392-1402.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233cd-1563.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023386-1371.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002336e-1304.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002336a-1294.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002335e-1261.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023343-1189.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023335-1149.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002332f-1133.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023317-1068.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232fe-998.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232fa-986.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232ee-948.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232ea-936.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232e6-924.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232de-899.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232da-888.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232d6-875.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232ce-852.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232c2-814.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b8-784.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b0-758.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2524 Cpljkdig.exe 2108 Ceibclgn.exe 4760 Chgoogfa.exe 3700 Cpofpdgd.exe 3912 Ccmclp32.exe 3304 Cekohk32.exe 4212 Digkijmd.exe 1548 Dhjkdg32.exe 1672 Doccaall.exe 1168 Denlnk32.exe 1852 Dhlhjf32.exe 4144 Dofpgqji.exe 1812 Dadlclim.exe 1860 Djlddi32.exe 4676 Dohmlp32.exe 4412 Debeijoc.exe 2416 Dhqaefng.exe 2004 Dokjbp32.exe 4004 Dfdbojmq.exe 3484 Dpjflb32.exe 3032 Dakbckbe.exe 4504 Ejbkehcg.exe 1772 Epmcab32.exe 1444 Eckonn32.exe 4764 Ejegjh32.exe 864 Ehhgfdho.exe 3568 Eoapbo32.exe 2860 Ebploj32.exe 4964 Ehjdldfl.exe 4012 Eleplc32.exe 1388 Eodlho32.exe 112 Efneehef.exe 3760 Ejjqeg32.exe 2912 Elhmablc.exe 4400 Eofinnkf.exe 3476 Efpajh32.exe 3324 Ejlmkgkl.exe 1480 Eoifcnid.exe 2376 Fbgbpihg.exe 2068 Fhajlc32.exe 3916 Fokbim32.exe 4684 Fjqgff32.exe 2976 Ficgacna.exe 3692 Fqkocpod.exe 2540 Fcikolnh.exe 4296 Ffggkgmk.exe 2928 Fifdgblo.exe 4792 Fopldmcl.exe 1188 Fckhdk32.exe 672 Ffjdqg32.exe 4000 Fihqmb32.exe 1684 Fqohnp32.exe 4116 Fobiilai.exe 2484 Fflaff32.exe 3612 Fijmbb32.exe 4484 Fmficqpc.exe 1172 Fodeolof.exe 3016 Gbcakg32.exe 4856 Gjjjle32.exe 4372 Gimjhafg.exe 556 Gqdbiofi.exe 2456 Gcbnejem.exe 840 Gfqjafdq.exe 4256 Gjlfbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppmeid32.dll Hfachc32.exe File created C:\Windows\SysWOW64\Jplmmfmi.exe Jmnaakne.exe File created C:\Windows\SysWOW64\Olmeac32.dll Jdhine32.exe File created C:\Windows\SysWOW64\Fkindkmi.dll Doccaall.exe File created C:\Windows\SysWOW64\Mnocof32.exe Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Mahbje32.exe Mnlfigcc.exe File created C:\Windows\SysWOW64\Epmjjbbj.dll Mdiklqhm.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mkgmcjld.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Bdghlnlo.dll Eckonn32.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File opened for modification C:\Windows\SysWOW64\Maohkd32.exe Mncmjfmk.exe File created C:\Windows\SysWOW64\Lcglnp32.dll Fmficqpc.exe File created C:\Windows\SysWOW64\Iffmccbi.exe Ibjqcd32.exe File created C:\Windows\SysWOW64\Jmnaakne.exe Jibeql32.exe File opened for modification C:\Windows\SysWOW64\Kmjqmi32.exe Kkkdan32.exe File opened for modification C:\Windows\SysWOW64\Lkdggmlj.exe Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Fqkocpod.exe Ficgacna.exe File created C:\Windows\SysWOW64\Jmkdlkph.exe Jiphkm32.exe File created C:\Windows\SysWOW64\Klebid32.dll Hfljmdjc.exe File opened for modification C:\Windows\SysWOW64\Kkkdan32.exe Kgphpo32.exe File created C:\Windows\SysWOW64\Kmdigkkd.dll Mahbje32.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File created C:\Windows\SysWOW64\Djlddi32.exe Dadlclim.exe File created C:\Windows\SysWOW64\Ldooifgl.dll Hpbaqj32.exe File created C:\Windows\SysWOW64\Jdhine32.exe Jplmmfmi.exe File created C:\Windows\SysWOW64\Oedbld32.dll Mjcgohig.exe File created C:\Windows\SysWOW64\Bkankc32.dll Majopeii.exe File created C:\Windows\SysWOW64\Dhjkdg32.exe Digkijmd.exe File created C:\Windows\SysWOW64\Nqjfoc32.dll Kbdmpqcb.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Hmioonpn.exe Hjjbcbqj.exe File created C:\Windows\SysWOW64\Ipegmg32.exe Iabgaklg.exe File created C:\Windows\SysWOW64\Lifenaok.dll Mdfofakp.exe File created C:\Windows\SysWOW64\Peeafpaf.dll Gcbnejem.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Iifpphha.dll Ejbkehcg.exe File created C:\Windows\SysWOW64\Kncfca32.dll Fflaff32.exe File created C:\Windows\SysWOW64\Icljbg32.exe Ipqnahgf.exe File created C:\Windows\SysWOW64\Gncoccha.dll Kmjqmi32.exe File created C:\Windows\SysWOW64\Fcikolnh.exe Fqkocpod.exe File created C:\Windows\SysWOW64\Ibojncfj.exe Icljbg32.exe File created C:\Windows\SysWOW64\Iannfk32.exe Imbaemhc.exe File created C:\Windows\SysWOW64\Hofddb32.dll Fckhdk32.exe File created C:\Windows\SysWOW64\Ocdehlgh.dll Gqikdn32.exe File created C:\Windows\SysWOW64\Jpaghf32.exe Jmbklj32.exe File created C:\Windows\SysWOW64\Liggbi32.exe Lkdggmlj.exe File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe Lilanioo.exe File opened for modification C:\Windows\SysWOW64\Fcikolnh.exe Fqkocpod.exe File created C:\Windows\SysWOW64\Fbkmec32.dll Jaljgidl.exe File opened for modification C:\Windows\SysWOW64\Gqfooodg.exe Gjlfbd32.exe File created C:\Windows\SysWOW64\Lphfpbdi.exe Laefdf32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ddhbep32.dll Fjqgff32.exe File created C:\Windows\SysWOW64\Hpbjkl32.dll Fobiilai.exe File created C:\Windows\SysWOW64\Qgejif32.dll Lgikfn32.exe File opened for modification C:\Windows\SysWOW64\Ldohebqh.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Ccmclp32.exe Cpofpdgd.exe File created C:\Windows\SysWOW64\Eofinnkf.exe Elhmablc.exe File opened for modification C:\Windows\SysWOW64\Jpgdbg32.exe Imihfl32.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jpjqhgol.exe File opened for modification C:\Windows\SysWOW64\Kgmlkp32.exe Kbapjafe.exe File created C:\Windows\SysWOW64\Kpdobeck.dll Mciobn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8832 8748 WerFault.exe 362 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll" Ejlmkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll" Fflaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll" Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbanme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffggkgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqohnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidipnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnaakne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll" Ijdeiaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhjob32.dll" Cpofpdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejjqeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkdlkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haidklda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll" Kaemnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haidklda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifopiajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejlmkgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndbnboqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkdlkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqiogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efneehef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpklpkio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icjmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll" Jigollag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmhdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll" Jibeql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbefoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll" Ifopiajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll" Jagqlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll" Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll" Gameonno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfljmdjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll" Ficgacna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgkcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjflb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll" Hboagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbapjafe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmgdgjek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Debeijoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhgfdho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpappc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgphpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll" Iannfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imihfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplmmfmi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 2524 4804 6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe 88 PID 4804 wrote to memory of 2524 4804 6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe 88 PID 4804 wrote to memory of 2524 4804 6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe 88 PID 2524 wrote to memory of 2108 2524 Cpljkdig.exe 89 PID 2524 wrote to memory of 2108 2524 Cpljkdig.exe 89 PID 2524 wrote to memory of 2108 2524 Cpljkdig.exe 89 PID 2108 wrote to memory of 4760 2108 Ceibclgn.exe 90 PID 2108 wrote to memory of 4760 2108 Ceibclgn.exe 90 PID 2108 wrote to memory of 4760 2108 Ceibclgn.exe 90 PID 4760 wrote to memory of 3700 4760 Chgoogfa.exe 91 PID 4760 wrote to memory of 3700 4760 Chgoogfa.exe 91 PID 4760 wrote to memory of 3700 4760 Chgoogfa.exe 91 PID 3700 wrote to memory of 3912 3700 Cpofpdgd.exe 92 PID 3700 wrote to memory of 3912 3700 Cpofpdgd.exe 92 PID 3700 wrote to memory of 3912 3700 Cpofpdgd.exe 92 PID 3912 wrote to memory of 3304 3912 Ccmclp32.exe 93 PID 3912 wrote to memory of 3304 3912 Ccmclp32.exe 93 PID 3912 wrote to memory of 3304 3912 Ccmclp32.exe 93 PID 3304 wrote to memory of 4212 3304 Cekohk32.exe 94 PID 3304 wrote to memory of 4212 3304 Cekohk32.exe 94 PID 3304 wrote to memory of 4212 3304 Cekohk32.exe 94 PID 4212 wrote to memory of 1548 4212 Digkijmd.exe 95 PID 4212 wrote to memory of 1548 4212 Digkijmd.exe 95 PID 4212 wrote to memory of 1548 4212 Digkijmd.exe 95 PID 1548 wrote to memory of 1672 1548 Dhjkdg32.exe 96 PID 1548 wrote to memory of 1672 1548 Dhjkdg32.exe 96 PID 1548 wrote to memory of 1672 1548 Dhjkdg32.exe 96 PID 1672 wrote to memory of 1168 1672 Doccaall.exe 97 PID 1672 wrote to memory of 1168 1672 Doccaall.exe 97 PID 1672 wrote to memory of 1168 1672 Doccaall.exe 97 PID 1168 wrote to memory of 1852 1168 Denlnk32.exe 98 PID 1168 wrote to memory of 1852 1168 Denlnk32.exe 98 PID 1168 wrote to memory of 1852 1168 Denlnk32.exe 98 PID 1852 wrote to memory of 4144 1852 Dhlhjf32.exe 99 PID 1852 wrote to memory of 4144 1852 Dhlhjf32.exe 99 PID 1852 wrote to memory of 4144 1852 Dhlhjf32.exe 99 PID 4144 wrote to memory of 1812 4144 Dofpgqji.exe 100 PID 4144 wrote to memory of 1812 4144 Dofpgqji.exe 100 PID 4144 wrote to memory of 1812 4144 Dofpgqji.exe 100 PID 1812 wrote to memory of 1860 1812 Dadlclim.exe 101 PID 1812 wrote to memory of 1860 1812 Dadlclim.exe 101 PID 1812 wrote to memory of 1860 1812 Dadlclim.exe 101 PID 1860 wrote to memory of 4676 1860 Djlddi32.exe 103 PID 1860 wrote to memory of 4676 1860 Djlddi32.exe 103 PID 1860 wrote to memory of 4676 1860 Djlddi32.exe 103 PID 4676 wrote to memory of 4412 4676 Dohmlp32.exe 104 PID 4676 wrote to memory of 4412 4676 Dohmlp32.exe 104 PID 4676 wrote to memory of 4412 4676 Dohmlp32.exe 104 PID 4412 wrote to memory of 2416 4412 Debeijoc.exe 105 PID 4412 wrote to memory of 2416 4412 Debeijoc.exe 105 PID 4412 wrote to memory of 2416 4412 Debeijoc.exe 105 PID 2416 wrote to memory of 2004 2416 Dhqaefng.exe 106 PID 2416 wrote to memory of 2004 2416 Dhqaefng.exe 106 PID 2416 wrote to memory of 2004 2416 Dhqaefng.exe 106 PID 2004 wrote to memory of 4004 2004 Dokjbp32.exe 108 PID 2004 wrote to memory of 4004 2004 Dokjbp32.exe 108 PID 2004 wrote to memory of 4004 2004 Dokjbp32.exe 108 PID 4004 wrote to memory of 3484 4004 Dfdbojmq.exe 109 PID 4004 wrote to memory of 3484 4004 Dfdbojmq.exe 109 PID 4004 wrote to memory of 3484 4004 Dfdbojmq.exe 109 PID 3484 wrote to memory of 3032 3484 Dpjflb32.exe 110 PID 3484 wrote to memory of 3032 3484 Dpjflb32.exe 110 PID 3484 wrote to memory of 3032 3484 Dpjflb32.exe 110 PID 3032 wrote to memory of 4504 3032 Dakbckbe.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe"C:\Users\Admin\AppData\Local\Temp\6e0a118916d810a8992dae17dcf80c2206012f9911c6517d233e9a97a250ee09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ceibclgn.exeC:\Windows\system32\Ceibclgn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Chgoogfa.exeC:\Windows\system32\Chgoogfa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Dofpgqji.exeC:\Windows\system32\Dofpgqji.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4504 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe24⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Eckonn32.exeC:\Windows\system32\Eckonn32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe26⤵
- Executes dropped EXE
PID:4764 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Eoapbo32.exeC:\Windows\system32\Eoapbo32.exe28⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe29⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe30⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe31⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe32⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Eofinnkf.exeC:\Windows\system32\Eofinnkf.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Fbgbpihg.exeC:\Windows\system32\Fbgbpihg.exe40⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe41⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe42⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3692 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe46⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe48⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe52⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4116 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe56⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4484 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe60⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe61⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Gqdbiofi.exeC:\Windows\system32\Gqdbiofi.exe62⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Gfqjafdq.exeC:\Windows\system32\Gfqjafdq.exe64⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4256 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe66⤵PID:1296
-
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe69⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe70⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe71⤵PID:1112
-
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe72⤵PID:5132
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe74⤵PID:5204
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe75⤵PID:5244
-
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe76⤵PID:5284
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe78⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe79⤵PID:5400
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe80⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe81⤵PID:5476
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe82⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe83⤵
- Modifies registry class
PID:5560 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe85⤵PID:5636
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe86⤵PID:5676
-
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe87⤵PID:5724
-
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe89⤵PID:5816
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5856 -
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe91⤵PID:5896
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe92⤵PID:5936
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe94⤵PID:6032
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe95⤵
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe96⤵PID:6116
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe97⤵PID:5124
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe99⤵PID:5276
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe100⤵PID:5344
-
C:\Windows\SysWOW64\Hibljoco.exeC:\Windows\system32\Hibljoco.exe101⤵PID:5396
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe102⤵PID:5468
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe103⤵
- Modifies registry class
PID:5528 -
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4608 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe105⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5704 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe107⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe108⤵PID:5864
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe109⤵PID:5932
-
C:\Windows\SysWOW64\Icjmmg32.exeC:\Windows\system32\Icjmmg32.exe110⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe112⤵PID:5156
-
C:\Windows\SysWOW64\Ijdeiaio.exeC:\Windows\system32\Ijdeiaio.exe113⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe114⤵
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe115⤵
- Modifies registry class
PID:5420 -
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe117⤵
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Ibojncfj.exeC:\Windows\system32\Ibojncfj.exe118⤵PID:5748
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5884 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5996 -
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe121⤵PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-