Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2c638f43a1093fc07790c946246256e0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
2c638f43a1093fc07790c946246256e0N.exe
Resource
win10v2004-20240730-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
2c638f43a1093fc07790c946246256e0N.exe
-
Size
64KB
-
MD5
2c638f43a1093fc07790c946246256e0
-
SHA1
48b6e7857775e08dd1bdee81281b30b0dfca2d47
-
SHA256
792fcdfa113ea73a5d8644db3bad3e793324d236f00d7f68b446935ca9267650
-
SHA512
d3aeba0bef9401e5063c21d456cd269afce123cdeeefbc5bad4bc60d34562f30dda0739dddbc1e3ed0d7d96312b795c6730b9938391edfc63c4198c07c22f632
-
SSDEEP
768:zx3xu3/n4xlWH/sXAVSHLveiYASCdzHCoZt05Hmd4FFFFFFFDe3lnE/1H5t+Xdnk:pxI/n/s7HWAFzi3HpFFFFFFFx4zDfWqc
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoofle32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbphdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpkep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidlnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offnhpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoollik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhecmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdlmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpimlfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgpod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmfjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfahbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baadiiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenmcggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbickp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbjoeojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhgkmpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glengm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhifjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgacokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajggomog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfphc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdehni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enkdaepb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hienlpel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe -
Executes dropped EXE 64 IoCs
pid Process 2080 Piphgq32.exe 3844 Plndcl32.exe 2036 Pchlpfjb.exe 184 Pakllc32.exe 1252 Pibdmp32.exe 4360 Phedhmhi.exe 5080 Pkcadhgm.exe 260 Pamiaboj.exe 3824 Plbmokop.exe 3276 Pkenjh32.exe 3212 Papfgbmg.exe 740 Pifnhpmi.exe 4144 Plejdkmm.exe 4972 Pocfpf32.exe 4236 Pabblb32.exe 1364 Piijno32.exe 4952 Qlggjk32.exe 4488 Qkjgegae.exe 4076 Qcaofebg.exe 4164 Qepkbpak.exe 2496 Qhngolpo.exe 3952 Qkmdkgob.exe 752 Qaflgago.exe 3568 Ajndioga.exe 3864 Allpejfe.exe 4256 Acfhad32.exe 2764 Aeddnp32.exe 2688 Ahcajk32.exe 4652 Akamff32.exe 1556 Achegd32.exe 4700 Afgacokc.exe 4940 Ahenokjf.exe 4400 Alqjpi32.exe 2004 Aoofle32.exe 844 Ackbmcjl.exe 880 Aanbhp32.exe 2032 Ajdjin32.exe 1800 Alcfei32.exe 312 Acmobchj.exe 4068 Abponp32.exe 4792 Ajggomog.exe 2536 Ahjgjj32.exe 4984 Akhcfe32.exe 4936 Aodogdmn.exe 500 Abbkcpma.exe 2076 Bjicdmmd.exe 3732 Blhpqhlh.exe 336 Bkkple32.exe 4840 Bcahmb32.exe 4964 Bbdhiojo.exe 3440 Bjlpjm32.exe 2400 Bljlfh32.exe 2620 Bfbaonae.exe 4040 Bhamkipi.exe 1896 Bkoigdom.exe 3200 Bcfahbpo.exe 4084 Bjpjel32.exe 4388 Bhcjqinf.exe 3880 Bombmcec.exe 4824 Bblnindg.exe 4012 Bfgjjm32.exe 4436 Bheffh32.exe 3408 Bmabggdm.exe 2308 Bopocbcq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Liabph32.dll Lgbloglj.exe File created C:\Windows\SysWOW64\Cjelhg32.dll Gpecbk32.exe File created C:\Windows\SysWOW64\Nqjgbadl.dll Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Oalipoiq.exe Onnmdcjm.exe File created C:\Windows\SysWOW64\Mdpmoppk.dll Pkbjjbda.exe File created C:\Windows\SysWOW64\Kqmfklog.dll Alkijdci.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cohkokgj.exe File created C:\Windows\SysWOW64\Bhcjqinf.exe Bjpjel32.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hienlpel.exe File opened for modification C:\Windows\SysWOW64\Kkjeomld.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Jhghaf32.dll Odoogi32.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Doaneiop.exe File opened for modification C:\Windows\SysWOW64\Kcbfcigf.exe Kpcjgnhb.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Doaneiop.exe File created C:\Windows\SysWOW64\Cajdjn32.dll Kjeiodek.exe File opened for modification C:\Windows\SysWOW64\Djhimica.exe Dbqqkkbo.exe File opened for modification C:\Windows\SysWOW64\Iggjga32.exe Idhnkf32.exe File opened for modification C:\Windows\SysWOW64\Oeheqm32.exe Oalipoiq.exe File opened for modification C:\Windows\SysWOW64\Aogiap32.exe Qklmpalf.exe File created C:\Windows\SysWOW64\Aafemk32.exe Aogiap32.exe File created C:\Windows\SysWOW64\Ginacp32.dll Akccap32.exe File opened for modification C:\Windows\SysWOW64\Cjecpkcg.exe Bckkca32.exe File created C:\Windows\SysWOW64\Iophkojl.dll Kqmkae32.exe File created C:\Windows\SysWOW64\Gldglf32.exe Gifkpknp.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Npgmpf32.exe File created C:\Windows\SysWOW64\Ojomcopk.exe Nfcabp32.exe File created C:\Windows\SysWOW64\Mchppmij.exe Maiccajf.exe File created C:\Windows\SysWOW64\Egjgdg32.dll Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Enbjad32.exe Ekdnei32.exe File created C:\Windows\SysWOW64\Oloahhki.exe Odhifjkg.exe File opened for modification C:\Windows\SysWOW64\Jcanll32.exe Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Iophfi32.dll Gmimai32.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Kifona32.dll Pabblb32.exe File created C:\Windows\SysWOW64\Inbhocbm.dll Bjpjel32.exe File created C:\Windows\SysWOW64\Nnbnhedj.exe Nlcalieg.exe File opened for modification C:\Windows\SysWOW64\Plmmif32.exe Pdfehh32.exe File created C:\Windows\SysWOW64\Eokqkh32.exe Emmdom32.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File created C:\Windows\SysWOW64\Allpejfe.exe Ajndioga.exe File created C:\Windows\SysWOW64\Bhamkipi.exe Bfbaonae.exe File created C:\Windows\SysWOW64\Bdickcpo.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Qklmpalf.exe Qhmqdemc.exe File opened for modification C:\Windows\SysWOW64\Blqllqqa.exe Bdickcpo.exe File opened for modification C:\Windows\SysWOW64\Jncoikmp.exe Ikdcmpnl.exe File created C:\Windows\SysWOW64\Khliclno.dll Phfjcf32.exe File created C:\Windows\SysWOW64\Efblbbqd.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Cmpdihki.dll Fmkqpkla.exe File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe Nfaemp32.exe File created C:\Windows\SysWOW64\Fbiipkjk.dll Maggnali.exe File created C:\Windows\SysWOW64\Jiiicf32.exe Jenmcggo.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jlgepanl.exe File created C:\Windows\SysWOW64\Ifomef32.dll Ogekbb32.exe File created C:\Windows\SysWOW64\Pamiaboj.exe Pkcadhgm.exe File created C:\Windows\SysWOW64\Jcmdaljn.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Hbdmdpjg.dll Jcdjbk32.exe File created C:\Windows\SysWOW64\Bdinlh32.dll Fbjmhh32.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Idfaefkd.exe File opened for modification C:\Windows\SysWOW64\Jdmgfedl.exe Jncoikmp.exe File created C:\Windows\SysWOW64\Fjjnifbl.exe Fbcfhibj.exe File created C:\Windows\SysWOW64\Egljbmnm.dll Dnbakghm.exe File opened for modification C:\Windows\SysWOW64\Ffnknafg.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Ehmjob32.dll Lgibpf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14232 14156 WerFault.exe 723 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmmif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfheof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djhimica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgpod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkmdkgob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmndpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlpfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqfcbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbjkkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlghoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajggomog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bblnindg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmigoagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdilipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmmqheb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohejo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnjmbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akqfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chiigadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cjjlkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlggjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kdkdgchl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfnoiid.dll" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiagakg.dll" Eifhdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anaomkdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Gncchb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdhbppo.dll" Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajhndkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknajfhe.dll" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbobfjdp.dll" Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllkqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlbojee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkenjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgipcogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doepmnag.dll" Jebfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgieglah.dll" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfibje32.dll" Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Kgipcogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjdebfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajggomog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajihlijd.dll" Mglfplgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeddnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnelok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onpjichj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeddnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmeoam32.dll" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amlkko32.dll" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejomj32.dll" Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gldglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoioli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfgjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anaomkdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjcgm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 2080 1816 2c638f43a1093fc07790c946246256e0N.exe 83 PID 1816 wrote to memory of 2080 1816 2c638f43a1093fc07790c946246256e0N.exe 83 PID 1816 wrote to memory of 2080 1816 2c638f43a1093fc07790c946246256e0N.exe 83 PID 2080 wrote to memory of 3844 2080 Piphgq32.exe 84 PID 2080 wrote to memory of 3844 2080 Piphgq32.exe 84 PID 2080 wrote to memory of 3844 2080 Piphgq32.exe 84 PID 3844 wrote to memory of 2036 3844 Plndcl32.exe 85 PID 3844 wrote to memory of 2036 3844 Plndcl32.exe 85 PID 3844 wrote to memory of 2036 3844 Plndcl32.exe 85 PID 2036 wrote to memory of 184 2036 Pchlpfjb.exe 86 PID 2036 wrote to memory of 184 2036 Pchlpfjb.exe 86 PID 2036 wrote to memory of 184 2036 Pchlpfjb.exe 86 PID 184 wrote to memory of 1252 184 Pakllc32.exe 87 PID 184 wrote to memory of 1252 184 Pakllc32.exe 87 PID 184 wrote to memory of 1252 184 Pakllc32.exe 87 PID 1252 wrote to memory of 4360 1252 Pibdmp32.exe 89 PID 1252 wrote to memory of 4360 1252 Pibdmp32.exe 89 PID 1252 wrote to memory of 4360 1252 Pibdmp32.exe 89 PID 4360 wrote to memory of 5080 4360 Phedhmhi.exe 90 PID 4360 wrote to memory of 5080 4360 Phedhmhi.exe 90 PID 4360 wrote to memory of 5080 4360 Phedhmhi.exe 90 PID 5080 wrote to memory of 260 5080 Pkcadhgm.exe 91 PID 5080 wrote to memory of 260 5080 Pkcadhgm.exe 91 PID 5080 wrote to memory of 260 5080 Pkcadhgm.exe 91 PID 260 wrote to memory of 3824 260 Pamiaboj.exe 93 PID 260 wrote to memory of 3824 260 Pamiaboj.exe 93 PID 260 wrote to memory of 3824 260 Pamiaboj.exe 93 PID 3824 wrote to memory of 3276 3824 Plbmokop.exe 94 PID 3824 wrote to memory of 3276 3824 Plbmokop.exe 94 PID 3824 wrote to memory of 3276 3824 Plbmokop.exe 94 PID 3276 wrote to memory of 3212 3276 Pkenjh32.exe 95 PID 3276 wrote to memory of 3212 3276 Pkenjh32.exe 95 PID 3276 wrote to memory of 3212 3276 Pkenjh32.exe 95 PID 3212 wrote to memory of 740 3212 Papfgbmg.exe 96 PID 3212 wrote to memory of 740 3212 Papfgbmg.exe 96 PID 3212 wrote to memory of 740 3212 Papfgbmg.exe 96 PID 740 wrote to memory of 4144 740 Pifnhpmi.exe 97 PID 740 wrote to memory of 4144 740 Pifnhpmi.exe 97 PID 740 wrote to memory of 4144 740 Pifnhpmi.exe 97 PID 4144 wrote to memory of 4972 4144 Plejdkmm.exe 98 PID 4144 wrote to memory of 4972 4144 Plejdkmm.exe 98 PID 4144 wrote to memory of 4972 4144 Plejdkmm.exe 98 PID 4972 wrote to memory of 4236 4972 Pocfpf32.exe 99 PID 4972 wrote to memory of 4236 4972 Pocfpf32.exe 99 PID 4972 wrote to memory of 4236 4972 Pocfpf32.exe 99 PID 4236 wrote to memory of 1364 4236 Pabblb32.exe 100 PID 4236 wrote to memory of 1364 4236 Pabblb32.exe 100 PID 4236 wrote to memory of 1364 4236 Pabblb32.exe 100 PID 1364 wrote to memory of 4952 1364 Piijno32.exe 102 PID 1364 wrote to memory of 4952 1364 Piijno32.exe 102 PID 1364 wrote to memory of 4952 1364 Piijno32.exe 102 PID 4952 wrote to memory of 4488 4952 Qlggjk32.exe 103 PID 4952 wrote to memory of 4488 4952 Qlggjk32.exe 103 PID 4952 wrote to memory of 4488 4952 Qlggjk32.exe 103 PID 4488 wrote to memory of 4076 4488 Qkjgegae.exe 104 PID 4488 wrote to memory of 4076 4488 Qkjgegae.exe 104 PID 4488 wrote to memory of 4076 4488 Qkjgegae.exe 104 PID 4076 wrote to memory of 4164 4076 Qcaofebg.exe 105 PID 4076 wrote to memory of 4164 4076 Qcaofebg.exe 105 PID 4076 wrote to memory of 4164 4076 Qcaofebg.exe 105 PID 4164 wrote to memory of 2496 4164 Qepkbpak.exe 106 PID 4164 wrote to memory of 2496 4164 Qepkbpak.exe 106 PID 4164 wrote to memory of 2496 4164 Qepkbpak.exe 106 PID 2496 wrote to memory of 3952 2496 Qhngolpo.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c638f43a1093fc07790c946246256e0N.exe"C:\Users\Admin\AppData\Local\Temp\2c638f43a1093fc07790c946246256e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3568 -
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe26⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe27⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe31⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe34⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Aoofle32.exeC:\Windows\system32\Aoofle32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe36⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe37⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe38⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe40⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4068 -
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe43⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe44⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe45⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe46⤵
- Executes dropped EXE
PID:500 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe48⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe49⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe50⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe51⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe52⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe53⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe55⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe56⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4084 -
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe59⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe60⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe63⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe65⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe66⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe67⤵PID:4872
-
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe68⤵PID:5028
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600 -
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe70⤵PID:2912
-
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3884 -
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe72⤵PID:1868
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe73⤵PID:3452
-
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe74⤵PID:3640
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe75⤵
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Ckkiccep.exeC:\Windows\system32\Ckkiccep.exe77⤵PID:1628
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe78⤵PID:1144
-
C:\Windows\SysWOW64\Cioilg32.exeC:\Windows\system32\Cioilg32.exe79⤵PID:4404
-
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe80⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe81⤵PID:1928
-
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe82⤵PID:1124
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe83⤵PID:3392
-
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe84⤵PID:2828
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe85⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe86⤵PID:4712
-
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe87⤵PID:1392
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe88⤵PID:996
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe90⤵PID:1536
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe91⤵PID:4364
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe92⤵PID:3292
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe93⤵PID:2564
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe95⤵
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe96⤵
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe97⤵PID:5060
-
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe98⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5168 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe100⤵PID:5212
-
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe101⤵PID:5256
-
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe102⤵PID:5300
-
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe103⤵PID:5344
-
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe104⤵PID:5388
-
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe105⤵PID:5428
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe106⤵PID:5472
-
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe108⤵PID:5560
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe109⤵PID:5604
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Eplgeokq.exeC:\Windows\system32\Eplgeokq.exe111⤵PID:5688
-
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe112⤵PID:5732
-
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe114⤵PID:5812
-
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe115⤵PID:5852
-
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe116⤵PID:5896
-
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe117⤵
- Modifies registry class
PID:5936 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe118⤵PID:5976
-
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe119⤵PID:6020
-
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe120⤵PID:6064
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe121⤵PID:6108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-