Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 23:59
Static task
static1
Behavioral task
behavioral1
Sample
a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe
Resource
win10v2004-20240226-en
General
-
Target
a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe
-
Size
347KB
-
MD5
63192c87f844480b66420c3bb4c72422
-
SHA1
8b6fd1b435dad60e1dc5d894e1b60528bb27bd0b
-
SHA256
a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82
-
SHA512
d5f3c1fa6e1700e89d18829f5b223b73f033dd005efd84cce0553cb4911c287873d516d082f073c058f543b6df88741e7d7bada523525b5777121fcbbb781744
-
SSDEEP
6144:VUCwXPUZ9hCn25Px4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:A/UZzCox4brRGFB24lwR45FB24lEk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgeefbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clilkfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjadmnic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aemkjiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhbped32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqpgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjadmnic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdgneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajejgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhmjkaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceaadk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aamfnkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddgjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe -
Executes dropped EXE 64 IoCs
pid Process 1936 Hdfflm32.exe 2544 Hgilchkf.exe 2596 Hhmepp32.exe 2740 Inljnfkg.exe 2552 Inngcfid.exe 2516 Ijgdngmf.exe 1036 Jmhmpb32.exe 2884 Jiondcpk.exe 2116 Jjojofgn.exe 2760 Jgidao32.exe 2840 Kihqkagp.exe 628 Kfbkmk32.exe 1692 Kpmlkp32.exe 472 Lbnemk32.exe 1160 Lbqabkql.exe 564 Lhmjkaoc.exe 832 Lkncmmle.exe 1612 Mggpgmof.exe 2300 Mgimmm32.exe 1788 Mlibjc32.exe 1608 Mpfkqb32.exe 1964 Mhbped32.exe 768 Najdnj32.exe 2244 Nkbhgojk.exe 2284 Ndkmpe32.exe 892 Naoniipe.exe 2964 Naajoinb.exe 1688 Nkiogn32.exe 2024 Nacgdhlp.exe 2660 Olmhdf32.exe 2836 Onmdoioa.exe 2492 Okgnab32.exe 1960 Oikojfgk.exe 2560 Obcccl32.exe 2892 Pgplkb32.exe 2888 Pbfpik32.exe 2312 Pgbhabjp.exe 2528 Pjadmnic.exe 2868 Pgeefbhm.exe 1424 Pnomcl32.exe 1752 Pclfkc32.exe 2316 Pfjbgnme.exe 2624 Pmdjdh32.exe 592 Pcnbablo.exe 1480 Qabcjgkh.exe 2340 Qjjgclai.exe 812 Qmicohqm.exe 2128 Qbelgood.exe 1780 Amkpegnj.exe 1776 Abhimnma.exe 2936 Aefeijle.exe 2020 Alpmfdcb.exe 2348 Aamfnkai.exe 2224 Ajejgp32.exe 1852 Ajhgmpfg.exe 2976 Aemkjiem.exe 2636 Aoepcn32.exe 1932 Bdbhke32.exe 2644 Bmkmdk32.exe 2592 Bdeeqehb.exe 2856 Bmmiij32.exe 2716 Bdgafdfp.exe 2664 Bmpfojmp.exe 2412 Bghjhp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 1936 Hdfflm32.exe 1936 Hdfflm32.exe 2544 Hgilchkf.exe 2544 Hgilchkf.exe 2596 Hhmepp32.exe 2596 Hhmepp32.exe 2740 Inljnfkg.exe 2740 Inljnfkg.exe 2552 Inngcfid.exe 2552 Inngcfid.exe 2516 Ijgdngmf.exe 2516 Ijgdngmf.exe 1036 Jmhmpb32.exe 1036 Jmhmpb32.exe 2884 Jiondcpk.exe 2884 Jiondcpk.exe 2116 Jjojofgn.exe 2116 Jjojofgn.exe 2760 Jgidao32.exe 2760 Jgidao32.exe 2840 Kihqkagp.exe 2840 Kihqkagp.exe 628 Kfbkmk32.exe 628 Kfbkmk32.exe 1692 Kpmlkp32.exe 1692 Kpmlkp32.exe 472 Lbnemk32.exe 472 Lbnemk32.exe 1160 Lbqabkql.exe 1160 Lbqabkql.exe 564 Lhmjkaoc.exe 564 Lhmjkaoc.exe 832 Lkncmmle.exe 832 Lkncmmle.exe 1612 Mggpgmof.exe 1612 Mggpgmof.exe 2300 Mgimmm32.exe 2300 Mgimmm32.exe 1788 Mlibjc32.exe 1788 Mlibjc32.exe 1608 Mpfkqb32.exe 1608 Mpfkqb32.exe 1964 Mhbped32.exe 1964 Mhbped32.exe 768 Najdnj32.exe 768 Najdnj32.exe 2244 Nkbhgojk.exe 2244 Nkbhgojk.exe 2284 Ndkmpe32.exe 2284 Ndkmpe32.exe 892 Naoniipe.exe 892 Naoniipe.exe 2964 Naajoinb.exe 2964 Naajoinb.exe 1688 Nkiogn32.exe 1688 Nkiogn32.exe 2024 Nacgdhlp.exe 2024 Nacgdhlp.exe 2660 Olmhdf32.exe 2660 Olmhdf32.exe 2836 Onmdoioa.exe 2836 Onmdoioa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lkncmmle.exe Lhmjkaoc.exe File opened for modification C:\Windows\SysWOW64\Mpfkqb32.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qmicohqm.exe File created C:\Windows\SysWOW64\Dbkknojp.exe Dlnbeh32.exe File created C:\Windows\SysWOW64\Njmggi32.dll Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Acahnedo.dll Nacgdhlp.exe File created C:\Windows\SysWOW64\Hiilgb32.dll Pfjbgnme.exe File created C:\Windows\SysWOW64\Onjnkb32.dll Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Lhmjkaoc.exe Lbqabkql.exe File created C:\Windows\SysWOW64\Nkbhgojk.exe Najdnj32.exe File created C:\Windows\SysWOW64\Phccmbca.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Bmmiij32.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dbkknojp.exe File created C:\Windows\SysWOW64\Ebodiofk.exe Egjpkffe.exe File created C:\Windows\SysWOW64\Mhbped32.exe Mpfkqb32.exe File created C:\Windows\SysWOW64\Ndkmpe32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Bfjpdigc.dll Onmdoioa.exe File opened for modification C:\Windows\SysWOW64\Egjpkffe.exe Eqpgol32.exe File created C:\Windows\SysWOW64\Jmgogg32.dll Mggpgmof.exe File opened for modification C:\Windows\SysWOW64\Alpmfdcb.exe Aefeijle.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aefeijle.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Cppkph32.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Dlgldibq.exe File opened for modification C:\Windows\SysWOW64\Ddgjdk32.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Nbniiffi.dll Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Pgbhabjp.exe Pbfpik32.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Pbfpik32.exe File created C:\Windows\SysWOW64\Aoepcn32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Cadhnmnm.exe File created C:\Windows\SysWOW64\Miikgeea.dll Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Pmdjdh32.exe Pfjbgnme.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Cppkph32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Ddigjkid.exe File created C:\Windows\SysWOW64\Amfidj32.dll Ebodiofk.exe File created C:\Windows\SysWOW64\Iqfmng32.dll Kihqkagp.exe File created C:\Windows\SysWOW64\Mpfkqb32.exe Mlibjc32.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Nkiogn32.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Kihqkagp.exe Jgidao32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Ajejgp32.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Hgilchkf.exe Hdfflm32.exe File opened for modification C:\Windows\SysWOW64\Hgilchkf.exe Hdfflm32.exe File created C:\Windows\SysWOW64\Dqlcpbbm.dll Kpmlkp32.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Olmhdf32.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Oikojfgk.exe File opened for modification C:\Windows\SysWOW64\Qbelgood.exe Qmicohqm.exe File created C:\Windows\SysWOW64\Amkpegnj.exe Qbelgood.exe File created C:\Windows\SysWOW64\Gellaqbd.dll Clilkfnb.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cnaocmmi.exe File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe Ddigjkid.exe File created C:\Windows\SysWOW64\Jdekadnf.dll Ijgdngmf.exe File created C:\Windows\SysWOW64\Gcghbk32.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Abhimnma.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Dlkepi32.exe Dfamcogo.exe File created C:\Windows\SysWOW64\Jfiilbkl.dll Dlnbeh32.exe File opened for modification C:\Windows\SysWOW64\Lbqabkql.exe Lbnemk32.exe File created C:\Windows\SysWOW64\Nkiogn32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Okgnab32.exe File created C:\Windows\SysWOW64\Bmfmjjgm.dll Alpmfdcb.exe File created C:\Windows\SysWOW64\Cdgneh32.exe Cnmehnan.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooafm32.dll" Lbqabkql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkbhgojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miikgeea.dll" Naajoinb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmmiij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll" Cclkfdnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgogg32.dll" Mggpgmof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpfkqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhmfm32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Egjpkffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clilkfnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhccm32.dll" Bldcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delpclld.dll" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfjpdigc.dll" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojbjm32.dll" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Nkbhgojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Obcccl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehofegb.dll" Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oikojfgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfommp32.dll" Pnomcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjojofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfiilbkl.dll" Dlnbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekadnf.dll" Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkncmmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbjgh32.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phccmbca.dll" Aoepcn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1936 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 28 PID 1260 wrote to memory of 1936 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 28 PID 1260 wrote to memory of 1936 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 28 PID 1260 wrote to memory of 1936 1260 a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe 28 PID 1936 wrote to memory of 2544 1936 Hdfflm32.exe 29 PID 1936 wrote to memory of 2544 1936 Hdfflm32.exe 29 PID 1936 wrote to memory of 2544 1936 Hdfflm32.exe 29 PID 1936 wrote to memory of 2544 1936 Hdfflm32.exe 29 PID 2544 wrote to memory of 2596 2544 Hgilchkf.exe 30 PID 2544 wrote to memory of 2596 2544 Hgilchkf.exe 30 PID 2544 wrote to memory of 2596 2544 Hgilchkf.exe 30 PID 2544 wrote to memory of 2596 2544 Hgilchkf.exe 30 PID 2596 wrote to memory of 2740 2596 Hhmepp32.exe 31 PID 2596 wrote to memory of 2740 2596 Hhmepp32.exe 31 PID 2596 wrote to memory of 2740 2596 Hhmepp32.exe 31 PID 2596 wrote to memory of 2740 2596 Hhmepp32.exe 31 PID 2740 wrote to memory of 2552 2740 Inljnfkg.exe 32 PID 2740 wrote to memory of 2552 2740 Inljnfkg.exe 32 PID 2740 wrote to memory of 2552 2740 Inljnfkg.exe 32 PID 2740 wrote to memory of 2552 2740 Inljnfkg.exe 32 PID 2552 wrote to memory of 2516 2552 Inngcfid.exe 33 PID 2552 wrote to memory of 2516 2552 Inngcfid.exe 33 PID 2552 wrote to memory of 2516 2552 Inngcfid.exe 33 PID 2552 wrote to memory of 2516 2552 Inngcfid.exe 33 PID 2516 wrote to memory of 1036 2516 Ijgdngmf.exe 34 PID 2516 wrote to memory of 1036 2516 Ijgdngmf.exe 34 PID 2516 wrote to memory of 1036 2516 Ijgdngmf.exe 34 PID 2516 wrote to memory of 1036 2516 Ijgdngmf.exe 34 PID 1036 wrote to memory of 2884 1036 Jmhmpb32.exe 35 PID 1036 wrote to memory of 2884 1036 Jmhmpb32.exe 35 PID 1036 wrote to memory of 2884 1036 Jmhmpb32.exe 35 PID 1036 wrote to memory of 2884 1036 Jmhmpb32.exe 35 PID 2884 wrote to memory of 2116 2884 Jiondcpk.exe 36 PID 2884 wrote to memory of 2116 2884 Jiondcpk.exe 36 PID 2884 wrote to memory of 2116 2884 Jiondcpk.exe 36 PID 2884 wrote to memory of 2116 2884 Jiondcpk.exe 36 PID 2116 wrote to memory of 2760 2116 Jjojofgn.exe 37 PID 2116 wrote to memory of 2760 2116 Jjojofgn.exe 37 PID 2116 wrote to memory of 2760 2116 Jjojofgn.exe 37 PID 2116 wrote to memory of 2760 2116 Jjojofgn.exe 37 PID 2760 wrote to memory of 2840 2760 Jgidao32.exe 38 PID 2760 wrote to memory of 2840 2760 Jgidao32.exe 38 PID 2760 wrote to memory of 2840 2760 Jgidao32.exe 38 PID 2760 wrote to memory of 2840 2760 Jgidao32.exe 38 PID 2840 wrote to memory of 628 2840 Kihqkagp.exe 39 PID 2840 wrote to memory of 628 2840 Kihqkagp.exe 39 PID 2840 wrote to memory of 628 2840 Kihqkagp.exe 39 PID 2840 wrote to memory of 628 2840 Kihqkagp.exe 39 PID 628 wrote to memory of 1692 628 Kfbkmk32.exe 40 PID 628 wrote to memory of 1692 628 Kfbkmk32.exe 40 PID 628 wrote to memory of 1692 628 Kfbkmk32.exe 40 PID 628 wrote to memory of 1692 628 Kfbkmk32.exe 40 PID 1692 wrote to memory of 472 1692 Kpmlkp32.exe 41 PID 1692 wrote to memory of 472 1692 Kpmlkp32.exe 41 PID 1692 wrote to memory of 472 1692 Kpmlkp32.exe 41 PID 1692 wrote to memory of 472 1692 Kpmlkp32.exe 41 PID 472 wrote to memory of 1160 472 Lbnemk32.exe 42 PID 472 wrote to memory of 1160 472 Lbnemk32.exe 42 PID 472 wrote to memory of 1160 472 Lbnemk32.exe 42 PID 472 wrote to memory of 1160 472 Lbnemk32.exe 42 PID 1160 wrote to memory of 564 1160 Lbqabkql.exe 43 PID 1160 wrote to memory of 564 1160 Lbqabkql.exe 43 PID 1160 wrote to memory of 564 1160 Lbqabkql.exe 43 PID 1160 wrote to memory of 564 1160 Lbqabkql.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe"C:\Users\Admin\AppData\Local\Temp\a3b36a205ef909792912cad1941b587dcf33c3e07fdda70003744b0bef7b1a82.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe36⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Qmicohqm.exeC:\Windows\system32\Qmicohqm.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:812 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe60⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe66⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe67⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe68⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe72⤵PID:1420
-
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe75⤵PID:2052
-
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe77⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe82⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe85⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe92⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe93⤵PID:368
-
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe94⤵PID:1680
-
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe95⤵PID:2852
-
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe96⤵PID:2500
-
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe97⤵PID:1200
-
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe98⤵PID:2016
-
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe99⤵PID:1920
-
C:\Windows\SysWOW64\Fpqdkf32.exeC:\Windows\system32\Fpqdkf32.exe100⤵PID:1996
-
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe102⤵PID:1484
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe103⤵PID:2260
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe104⤵PID:1368
-
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe105⤵PID:1048
-
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe106⤵PID:2216
-
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe107⤵PID:2096
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe108⤵PID:2532
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe109⤵PID:2352
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe110⤵PID:2924
-
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe111⤵PID:3008
-
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe112⤵PID:2448
-
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe113⤵PID:2068
-
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe114⤵PID:2984
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe115⤵PID:2816
-
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe116⤵PID:2780
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe117⤵PID:2824
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe118⤵PID:268
-
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe119⤵PID:1708
-
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe120⤵PID:2296
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe121⤵PID:2160
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe122⤵PID:1140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-