Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 21:29
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe
-
Size
88KB
-
MD5
84f7dbcd8805ca6b6538b51887a3bbdd
-
SHA1
8b46e49347ac672a1a840b1dc5f06a4f5fa248b9
-
SHA256
4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128
-
SHA512
16343d5580e6f4adf426aceb377f7fa448003859e0ba9bb6a70ae3dac1ce2324561e7b310167519483dc650cd5631dc09a079bdcbbc21574d2fbbd1fd1519b0a
-
SSDEEP
1536:aaK6UddXXuH9eQZfYhfxCKP6y4O7zCRr7Mnouy8L:a16UddXXW9HAhfxZPqRfMoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endjaief.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfcpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbnpkmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbeiefff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noljjglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meicnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcopdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhonngce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobkpdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lihobnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndkhngdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioggmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdoghdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfllkece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmnlbcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpmpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmfchei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copjdhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmdgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjallg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhplhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offmipej.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x0009000000014909-5.dat UPX behavioral1/files/0x0008000000015264-20.dat UPX behavioral1/files/0x00070000000155d4-34.dat UPX behavioral1/files/0x0009000000015cb9-48.dat UPX behavioral1/files/0x0006000000016d01-62.dat UPX behavioral1/files/0x0006000000016d24-75.dat UPX behavioral1/files/0x0006000000016d41-89.dat UPX behavioral1/files/0x000e000000014e3d-102.dat UPX behavioral1/files/0x0006000000016d55-115.dat UPX behavioral1/files/0x0006000000016d89-128.dat UPX behavioral1/memory/2952-135-0x0000000000280000-0x00000000002B4000-memory.dmp UPX behavioral1/files/0x000600000001704f-142.dat UPX behavioral1/files/0x000500000001868c-155.dat UPX behavioral1/files/0x00050000000186a0-168.dat UPX behavioral1/files/0x0006000000018ae8-181.dat UPX behavioral1/files/0x0006000000018b33-194.dat UPX behavioral1/files/0x0006000000018b42-208.dat UPX behavioral1/files/0x0006000000018b6a-223.dat UPX behavioral1/files/0x0006000000018b96-233.dat UPX behavioral1/files/0x0006000000018d06-243.dat UPX behavioral1/files/0x00050000000192f4-252.dat UPX behavioral1/files/0x0005000000019333-261.dat UPX behavioral1/files/0x0005000000019377-270.dat UPX behavioral1/files/0x00050000000193b0-279.dat UPX behavioral1/files/0x000500000001946b-288.dat UPX behavioral1/files/0x0005000000019473-298.dat UPX behavioral1/files/0x00050000000194a4-310.dat UPX behavioral1/files/0x00040000000194d8-320.dat UPX behavioral1/files/0x00050000000194e8-332.dat UPX behavioral1/files/0x00050000000194ee-342.dat UPX behavioral1/files/0x00050000000194f2-357.dat UPX behavioral1/files/0x000500000001950c-366.dat UPX behavioral1/files/0x0005000000019547-376.dat UPX behavioral1/files/0x000500000001959c-387.dat UPX behavioral1/files/0x00050000000195a2-398.dat UPX behavioral1/files/0x00050000000195a6-409.dat UPX behavioral1/files/0x00050000000195a8-420.dat UPX behavioral1/files/0x00050000000195aa-431.dat UPX behavioral1/files/0x00050000000195ff-441.dat UPX behavioral1/files/0x00050000000196d8-453.dat UPX behavioral1/files/0x0005000000019bd6-463.dat UPX behavioral1/files/0x0005000000019bd8-473.dat UPX behavioral1/files/0x0005000000019cba-485.dat UPX behavioral1/files/0x0005000000019d4d-496.dat UPX behavioral1/files/0x0005000000019f42-507.dat UPX behavioral1/files/0x000500000001a00c-519.dat UPX behavioral1/files/0x000500000001a04c-528.dat UPX behavioral1/files/0x000500000001a31e-540.dat UPX behavioral1/files/0x000500000001a3c5-550.dat UPX behavioral1/files/0x000500000001a3cd-562.dat UPX behavioral1/files/0x000500000001a40b-572.dat UPX behavioral1/files/0x000500000001a42b-583.dat UPX behavioral1/files/0x000500000001a432-594.dat UPX behavioral1/files/0x000500000001a441-603.dat UPX behavioral1/files/0x000500000001a445-613.dat UPX behavioral1/files/0x000500000001a449-625.dat UPX behavioral1/files/0x000500000001a44d-637.dat UPX behavioral1/files/0x000500000001a451-647.dat UPX behavioral1/files/0x000500000001a455-658.dat UPX behavioral1/files/0x000500000001a459-665.dat UPX behavioral1/files/0x000500000001a45d-677.dat UPX behavioral1/files/0x000500000001a461-684.dat UPX behavioral1/files/0x000500000001a465-696.dat UPX behavioral1/files/0x000500000001a46a-706.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2116 Iknpkd32.exe 2752 Ikpmpc32.exe 3060 Inafbooe.exe 1984 Iaonhm32.exe 2436 Jnfomn32.exe 672 Jlklnjoh.exe 652 Jolepe32.exe 1872 Jonbee32.exe 2952 Jlbboiip.exe 1580 Kobkpdfa.exe 2012 Kkileele.exe 2636 Kqiaclhj.exe 2156 Kjaelaok.exe 1044 Lifbmn32.exe 2256 Lihobnap.exe 1192 Lkihdioa.exe 2292 Liminmmk.exe 2992 Lnlnlc32.exe 1808 Meicnm32.exe 1516 Mapccndn.exe 2084 Mfllkece.exe 2900 Mimemp32.exe 920 Mbeiefff.exe 2228 Noljjglk.exe 1764 Nhdocl32.exe 2252 Namclbil.exe 2352 Ndnlnm32.exe 2528 Nocpkf32.exe 2548 Nadimacd.exe 2768 Ogcnkgoh.exe 2536 Olpgconp.exe 1976 Oidglb32.exe 2492 Oldpnn32.exe 472 Oemegc32.exe 1796 Padeldeo.exe 1720 Pddnnp32.exe 2612 Pqkobqhd.exe 1232 Qcqaok32.exe 2328 Qmifhq32.exe 2480 Acekjjmk.exe 2724 Amnocpdk.exe 2300 Abkhkgbb.exe 2052 Aapemc32.exe 2268 Agjmim32.exe 1592 Badnhbce.exe 2888 Bjmbqhif.exe 940 Bfccei32.exe 1584 Bmnlbcfg.exe 1156 Bjallg32.exe 808 Bpnddn32.exe 560 Bekmle32.exe 904 Bleeioil.exe 2064 Ciifbchf.exe 1572 Cofnjj32.exe 2572 Chnbcpmn.exe 2780 Cbdgqimc.exe 2556 Chqoipkk.exe 1488 Cmmhaf32.exe 2212 Chcloo32.exe 564 Ckcepj32.exe 3000 Dgjfek32.exe 2960 Dmdnbecj.exe 1508 Dbafjlaa.exe 628 Dmgkgeah.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 2116 Iknpkd32.exe 2116 Iknpkd32.exe 2752 Ikpmpc32.exe 2752 Ikpmpc32.exe 3060 Inafbooe.exe 3060 Inafbooe.exe 1984 Iaonhm32.exe 1984 Iaonhm32.exe 2436 Jnfomn32.exe 2436 Jnfomn32.exe 672 Jlklnjoh.exe 672 Jlklnjoh.exe 652 Jolepe32.exe 652 Jolepe32.exe 1872 Jonbee32.exe 1872 Jonbee32.exe 2952 Jlbboiip.exe 2952 Jlbboiip.exe 1580 Kobkpdfa.exe 1580 Kobkpdfa.exe 2012 Kkileele.exe 2012 Kkileele.exe 2636 Kqiaclhj.exe 2636 Kqiaclhj.exe 2156 Kjaelaok.exe 2156 Kjaelaok.exe 1044 Lifbmn32.exe 1044 Lifbmn32.exe 2256 Lihobnap.exe 2256 Lihobnap.exe 1192 Lkihdioa.exe 1192 Lkihdioa.exe 2292 Liminmmk.exe 2292 Liminmmk.exe 2992 Lnlnlc32.exe 2992 Lnlnlc32.exe 1808 Meicnm32.exe 1808 Meicnm32.exe 1516 Mapccndn.exe 1516 Mapccndn.exe 2084 Mfllkece.exe 2084 Mfllkece.exe 2900 Mimemp32.exe 2900 Mimemp32.exe 920 Mbeiefff.exe 920 Mbeiefff.exe 2228 Noljjglk.exe 2228 Noljjglk.exe 1764 Nhdocl32.exe 1764 Nhdocl32.exe 2252 Namclbil.exe 2252 Namclbil.exe 2352 Ndnlnm32.exe 2352 Ndnlnm32.exe 2528 Nocpkf32.exe 2528 Nocpkf32.exe 2548 Nadimacd.exe 2548 Nadimacd.exe 2768 Ogcnkgoh.exe 2768 Ogcnkgoh.exe 2536 Olpgconp.exe 2536 Olpgconp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pqkobqhd.exe Pddnnp32.exe File opened for modification C:\Windows\SysWOW64\Jnpkflne.exe Jaijak32.exe File opened for modification C:\Windows\SysWOW64\Kffldlne.exe Kkeecogo.exe File created C:\Windows\SysWOW64\Lkihdioa.exe Lihobnap.exe File created C:\Windows\SysWOW64\Fnfcel32.exe Fmegncpp.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kljabgnh.exe File opened for modification C:\Windows\SysWOW64\Edfbaabj.exe Eknmhk32.exe File created C:\Windows\SysWOW64\Dohafell.dll Gbhbdi32.exe File created C:\Windows\SysWOW64\Ghiijc32.dll Lnlnlc32.exe File opened for modification C:\Windows\SysWOW64\Acekjjmk.exe Qmifhq32.exe File created C:\Windows\SysWOW64\Abegfa32.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Hlgimqhf.exe File created C:\Windows\SysWOW64\Mclebc32.exe Mkqqnq32.exe File created C:\Windows\SysWOW64\Epilaieh.dll Njdqka32.exe File created C:\Windows\SysWOW64\Eclbcj32.exe Dmojkc32.exe File created C:\Windows\SysWOW64\Mkqqnq32.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Phkckneq.dll Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Enkpahon.exe Edclib32.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Odhhgkib.exe Obgkpb32.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Nkjjnk32.dll Dahifbpk.exe File created C:\Windows\SysWOW64\Kheoph32.dll Mcckcbgp.exe File created C:\Windows\SysWOW64\Ldcinhie.dll Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Gfmfjhcj.dll Jnpkflne.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qgmfchei.exe File created C:\Windows\SysWOW64\Gdhkfd32.exe Gbhbdi32.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gnaooi32.exe File created C:\Windows\SysWOW64\Lhpglecl.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Ciifbchf.exe Bleeioil.exe File created C:\Windows\SysWOW64\Fdcfhj32.dll Ehmdgp32.exe File created C:\Windows\SysWOW64\Melifl32.exe Mnbpjb32.exe File opened for modification C:\Windows\SysWOW64\Abegfa32.exe Agpcihcf.exe File opened for modification C:\Windows\SysWOW64\Cjlheehe.exe Cpfdhl32.exe File created C:\Windows\SysWOW64\Fbmfkkbm.exe Flqmbd32.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mhonngce.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lhknaf32.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Gcomknkd.dll Agjmim32.exe File created C:\Windows\SysWOW64\Fhomkcoa.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Mapccndn.exe Meicnm32.exe File opened for modification C:\Windows\SysWOW64\Odhhgkib.exe Obgkpb32.exe File opened for modification C:\Windows\SysWOW64\Jlnklcej.exe Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Pfebhg32.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Cbdgqimc.exe Chnbcpmn.exe File opened for modification C:\Windows\SysWOW64\Jaijak32.exe Jhafhe32.exe File opened for modification C:\Windows\SysWOW64\Pkoicb32.exe Pebpkk32.exe File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Jlbboiip.exe Jonbee32.exe File created C:\Windows\SysWOW64\Bmnlbcfg.exe Bfccei32.exe File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Kdhcli32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Kffldlne.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Oiljam32.exe Nijnln32.exe File created C:\Windows\SysWOW64\Agpcihcf.exe Qqfkln32.exe File created C:\Windows\SysWOW64\Qpmcjc32.dll Demofaol.exe File created C:\Windows\SysWOW64\Imdbjp32.dll Nnoiio32.exe File created C:\Windows\SysWOW64\Nhgnaehm.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Kmhnlgkg.dll Agjobffl.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Iaonhm32.exe Inafbooe.exe File created C:\Windows\SysWOW64\Bpnddn32.exe Bjallg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3648 3120 WerFault.exe 331 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaipli32.dll" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjlqgcoc.dll" Gqiimfam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhmgco.dll" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjqpdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iknpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcebdq32.dll" Ckcepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odohol32.dll" Ooicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhafhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lifbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckcepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idebfofe.dll" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bleeioil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjoffbmm.dll" Enkpahon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefhqhka.dll" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbaepf32.dll" Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlgimqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdbmf32.dll" Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfocegkg.dll" Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcpnn32.dll" Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdoghdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimmkm32.dll" Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popoig32.dll" Lkihdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckada32.dll" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohniib32.dll" Oonldcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnfomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkacflm.dll" Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjkclbf.dll" Omcifpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmbji32.dll" Hcgjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inlkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgjnhaco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2116 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 28 PID 1760 wrote to memory of 2116 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 28 PID 1760 wrote to memory of 2116 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 28 PID 1760 wrote to memory of 2116 1760 4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe 28 PID 2116 wrote to memory of 2752 2116 Iknpkd32.exe 29 PID 2116 wrote to memory of 2752 2116 Iknpkd32.exe 29 PID 2116 wrote to memory of 2752 2116 Iknpkd32.exe 29 PID 2116 wrote to memory of 2752 2116 Iknpkd32.exe 29 PID 2752 wrote to memory of 3060 2752 Ikpmpc32.exe 30 PID 2752 wrote to memory of 3060 2752 Ikpmpc32.exe 30 PID 2752 wrote to memory of 3060 2752 Ikpmpc32.exe 30 PID 2752 wrote to memory of 3060 2752 Ikpmpc32.exe 30 PID 3060 wrote to memory of 1984 3060 Inafbooe.exe 31 PID 3060 wrote to memory of 1984 3060 Inafbooe.exe 31 PID 3060 wrote to memory of 1984 3060 Inafbooe.exe 31 PID 3060 wrote to memory of 1984 3060 Inafbooe.exe 31 PID 1984 wrote to memory of 2436 1984 Iaonhm32.exe 32 PID 1984 wrote to memory of 2436 1984 Iaonhm32.exe 32 PID 1984 wrote to memory of 2436 1984 Iaonhm32.exe 32 PID 1984 wrote to memory of 2436 1984 Iaonhm32.exe 32 PID 2436 wrote to memory of 672 2436 Jnfomn32.exe 33 PID 2436 wrote to memory of 672 2436 Jnfomn32.exe 33 PID 2436 wrote to memory of 672 2436 Jnfomn32.exe 33 PID 2436 wrote to memory of 672 2436 Jnfomn32.exe 33 PID 672 wrote to memory of 652 672 Jlklnjoh.exe 34 PID 672 wrote to memory of 652 672 Jlklnjoh.exe 34 PID 672 wrote to memory of 652 672 Jlklnjoh.exe 34 PID 672 wrote to memory of 652 672 Jlklnjoh.exe 34 PID 652 wrote to memory of 1872 652 Jolepe32.exe 35 PID 652 wrote to memory of 1872 652 Jolepe32.exe 35 PID 652 wrote to memory of 1872 652 Jolepe32.exe 35 PID 652 wrote to memory of 1872 652 Jolepe32.exe 35 PID 1872 wrote to memory of 2952 1872 Jonbee32.exe 36 PID 1872 wrote to memory of 2952 1872 Jonbee32.exe 36 PID 1872 wrote to memory of 2952 1872 Jonbee32.exe 36 PID 1872 wrote to memory of 2952 1872 Jonbee32.exe 36 PID 2952 wrote to memory of 1580 2952 Jlbboiip.exe 37 PID 2952 wrote to memory of 1580 2952 Jlbboiip.exe 37 PID 2952 wrote to memory of 1580 2952 Jlbboiip.exe 37 PID 2952 wrote to memory of 1580 2952 Jlbboiip.exe 37 PID 1580 wrote to memory of 2012 1580 Kobkpdfa.exe 38 PID 1580 wrote to memory of 2012 1580 Kobkpdfa.exe 38 PID 1580 wrote to memory of 2012 1580 Kobkpdfa.exe 38 PID 1580 wrote to memory of 2012 1580 Kobkpdfa.exe 38 PID 2012 wrote to memory of 2636 2012 Kkileele.exe 39 PID 2012 wrote to memory of 2636 2012 Kkileele.exe 39 PID 2012 wrote to memory of 2636 2012 Kkileele.exe 39 PID 2012 wrote to memory of 2636 2012 Kkileele.exe 39 PID 2636 wrote to memory of 2156 2636 Kqiaclhj.exe 40 PID 2636 wrote to memory of 2156 2636 Kqiaclhj.exe 40 PID 2636 wrote to memory of 2156 2636 Kqiaclhj.exe 40 PID 2636 wrote to memory of 2156 2636 Kqiaclhj.exe 40 PID 2156 wrote to memory of 1044 2156 Kjaelaok.exe 41 PID 2156 wrote to memory of 1044 2156 Kjaelaok.exe 41 PID 2156 wrote to memory of 1044 2156 Kjaelaok.exe 41 PID 2156 wrote to memory of 1044 2156 Kjaelaok.exe 41 PID 1044 wrote to memory of 2256 1044 Lifbmn32.exe 42 PID 1044 wrote to memory of 2256 1044 Lifbmn32.exe 42 PID 1044 wrote to memory of 2256 1044 Lifbmn32.exe 42 PID 1044 wrote to memory of 2256 1044 Lifbmn32.exe 42 PID 2256 wrote to memory of 1192 2256 Lihobnap.exe 43 PID 2256 wrote to memory of 1192 2256 Lihobnap.exe 43 PID 2256 wrote to memory of 1192 2256 Lihobnap.exe 43 PID 2256 wrote to memory of 1192 2256 Lihobnap.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe"C:\Users\Admin\AppData\Local\Temp\4f5c30a4b167186b4384a203a9f9f5cb18e0e556fb803169c8528cafcf649128.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe33⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe35⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe36⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe38⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe41⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe42⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe43⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe44⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe46⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe47⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe51⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe55⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe58⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe59⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe60⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe62⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe65⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe66⤵PID:2508
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe68⤵PID:1932
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe69⤵PID:1644
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe70⤵PID:952
-
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe71⤵PID:1316
-
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe72⤵PID:1276
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe74⤵PID:1152
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe75⤵PID:1952
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe76⤵PID:1296
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe77⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe78⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe79⤵PID:524
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe80⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe81⤵PID:860
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe82⤵PID:2644
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe83⤵PID:2608
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe86⤵PID:2032
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe87⤵PID:1300
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe88⤵PID:432
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe89⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe90⤵PID:1340
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe91⤵PID:2208
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe92⤵PID:2016
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe93⤵PID:1964
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe94⤵PID:2564
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe95⤵PID:2104
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe96⤵PID:2720
-
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe97⤵PID:2584
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe98⤵
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe100⤵PID:2192
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe101⤵PID:1824
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe103⤵PID:2596
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe106⤵PID:1108
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe107⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe109⤵PID:2912
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe112⤵PID:592
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe114⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe115⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe116⤵PID:2320
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe117⤵PID:1496
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe119⤵PID:2792
-
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe120⤵PID:1744
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-