Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 02:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4132e397d7c7ab9a3fef03f4292f8470N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4132e397d7c7ab9a3fef03f4292f8470N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4132e397d7c7ab9a3fef03f4292f8470N.exe
-
Size
768KB
-
MD5
4132e397d7c7ab9a3fef03f4292f8470
-
SHA1
feab87e31a003aef1deaa38c07fd4e5dac93d12e
-
SHA256
140b16b8a5f2939874fcf5a0294eaef19e1dfb6549d0cd1f7216a4468571fd31
-
SHA512
dcd681b06a9f41eb47b5d4096b8b8906ddd407efe242b5f1f1c56da5c225936d7c1f82abf863ff7507027febfce3f780cec35972542edf34329e6c6833c76732
-
SSDEEP
12288:emlFvF6IvYvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl888888888888888888d:emlb3q5hPPh2kkkkK4kXkkkkkkkkH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmobchj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgohklm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biadeoce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiggbhda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnkhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekdnei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhakoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiahnnph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnpabe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkcqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlblcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgamnded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekqmhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbenmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcgkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkaclqkk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajpbckl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idghpmnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhndljll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqgidij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aleckinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdedak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiggbhda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidhlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjchaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pamiaboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbmdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcqpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnnljj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boipmj32.exe -
Executes dropped EXE 64 IoCs
pid Process 4300 Qfbobf32.exe 4448 Qhakoa32.exe 3748 Qqhcpo32.exe 2704 Acgolj32.exe 1308 Ajqgidij.exe 2600 Ahchda32.exe 4028 Aqkpeopg.exe 4032 Aompak32.exe 3808 Agdhbi32.exe 920 Afghneoo.exe 4108 Ahfdjanb.exe 5060 Aqmlknnd.exe 2476 Aopmfk32.exe 4288 Ackigjmh.exe 2448 Afjeceml.exe 780 Aihaoqlp.exe 768 Aqoiqn32.exe 4412 Aobilkcl.exe 3316 Acnemi32.exe 1492 Aflaie32.exe 3076 Ajhniccb.exe 4852 Aijnep32.exe 3592 Aqaffn32.exe 4836 Aodfajaj.exe 184 Acpbbi32.exe 2104 Ajjjocap.exe 4556 Amhfkopc.exe 2864 Bqdblmhl.exe 1332 Bcbohigp.exe 2436 Bgnkhg32.exe 900 Bfqkddfd.exe 3464 Biogppeg.exe 4128 Bmkcqn32.exe 628 Boipmj32.exe 2884 Bcelmhen.exe 4868 Bfchidda.exe 3428 Biadeoce.exe 3820 Bmmpfn32.exe 816 Boklbi32.exe 3636 Bgbdcgld.exe 1460 Bfedoc32.exe 1924 Bjaqpbkh.exe 4156 Bmomlnjk.exe 3168 Bqkill32.exe 1656 Bciehh32.exe 3196 Bgeaifia.exe 3520 Bfhadc32.exe 4132 Bifmqo32.exe 2344 Bmbiamhi.exe 3360 Bppfmigl.exe 368 Bclang32.exe 4324 Bfjnjcni.exe 3276 Bihjfnmm.exe 1416 Cqpbglno.exe 548 Cpbbch32.exe 4336 Cgjjdf32.exe 4924 Cflkpblf.exe 4532 Cikglnkj.exe 4400 Ccqkigkp.exe 4560 Cfogeb32.exe 3724 Cjjcfabm.exe 2708 Cmipblaq.exe 1052 Cpglnhad.exe 2056 Ccchof32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgnffj32.exe Bpdnjple.exe File opened for modification C:\Windows\SysWOW64\Eomffaag.exe Egened32.exe File created C:\Windows\SysWOW64\Jidinqpb.exe Iamamcop.exe File opened for modification C:\Windows\SysWOW64\Mjellmbp.exe Mhfppabl.exe File opened for modification C:\Windows\SysWOW64\Poajkgnc.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Pocfpf32.exe Phincl32.exe File opened for modification C:\Windows\SysWOW64\Omgcpokp.exe Olfghg32.exe File created C:\Windows\SysWOW64\Aojefobm.exe Addaif32.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Aojefobm.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nclbpf32.exe File opened for modification C:\Windows\SysWOW64\Fecadghc.exe Fbdehlip.exe File created C:\Windows\SysWOW64\Fbackgod.dll Cidjbmcp.exe File created C:\Windows\SysWOW64\Kgmcce32.exe Kenggi32.exe File created C:\Windows\SysWOW64\Lbpdblmo.exe Ljilqnlm.exe File created C:\Windows\SysWOW64\Pjoppf32.exe Pbhgoh32.exe File created C:\Windows\SysWOW64\Dooaccfg.dll Ccmcgcmp.exe File created C:\Windows\SysWOW64\Qqhcpo32.exe Qhakoa32.exe File created C:\Windows\SysWOW64\Ejahqlpp.dll Ajjjocap.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Aaiimadl.exe File created C:\Windows\SysWOW64\Pakdbp32.exe Pidlqb32.exe File created C:\Windows\SysWOW64\Njonjm32.dll Ajaelc32.exe File opened for modification C:\Windows\SysWOW64\Ijcahd32.exe Igedlh32.exe File opened for modification C:\Windows\SysWOW64\Dkdliame.exe Dfgcakon.exe File created C:\Windows\SysWOW64\Jllhpkfk.exe Jeapcq32.exe File opened for modification C:\Windows\SysWOW64\Eiahnnph.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Iafkld32.exe Ihmfco32.exe File opened for modification C:\Windows\SysWOW64\Oikjkc32.exe Obqanjdb.exe File created C:\Windows\SysWOW64\Pfgbakef.dll Pjoppf32.exe File created C:\Windows\SysWOW64\Ikdkai32.dll Boklbi32.exe File opened for modification C:\Windows\SysWOW64\Nliaao32.exe Nijeec32.exe File opened for modification C:\Windows\SysWOW64\Gdobnj32.exe Giinpa32.exe File created C:\Windows\SysWOW64\Ljhefhha.exe Lekmnajj.exe File created C:\Windows\SysWOW64\Ckjbhmad.exe Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Igqkqiai.exe Idbodn32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nknobkje.exe File opened for modification C:\Windows\SysWOW64\Bmofagfp.exe Bjpjel32.exe File created C:\Windows\SysWOW64\Dpehof32.exe Dabhdinj.exe File created C:\Windows\SysWOW64\Jgnboabc.dll Fipbdikp.exe File created C:\Windows\SysWOW64\Cclaff32.dll Ginnfgop.exe File opened for modification C:\Windows\SysWOW64\Idkbkl32.exe Iqpfjnba.exe File created C:\Windows\SysWOW64\Jgenbfoa.exe Jdgafjpn.exe File opened for modification C:\Windows\SysWOW64\Boklbi32.exe Bmmpfn32.exe File created C:\Windows\SysWOW64\Bifmqo32.exe Bfhadc32.exe File created C:\Windows\SysWOW64\Nmiakk32.dll Dmbbhkjf.exe File opened for modification C:\Windows\SysWOW64\Oblmdhdo.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Iajdgcab.exe Ihbponja.exe File created C:\Windows\SysWOW64\Labnlj32.dll Bdeiqgkj.exe File opened for modification C:\Windows\SysWOW64\Pjbcplpe.exe Pdhkcb32.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Ppikbm32.exe File opened for modification C:\Windows\SysWOW64\Qmdblp32.exe Qbonoghb.exe File created C:\Windows\SysWOW64\Acpbbi32.exe Aodfajaj.exe File created C:\Windows\SysWOW64\Kpdahg32.dll Hjedffig.exe File created C:\Windows\SysWOW64\Qipkmbib.dll Ihgnkkbd.exe File created C:\Windows\SysWOW64\Knalji32.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Fmplqd32.dll Ljnlecmp.exe File created C:\Windows\SysWOW64\Lnjkcfod.dll Fbmohmoh.exe File created C:\Windows\SysWOW64\Ojnfihmo.exe Obgohklm.exe File opened for modification C:\Windows\SysWOW64\Pidlqb32.exe Pbjddh32.exe File opened for modification C:\Windows\SysWOW64\Ajhniccb.exe Aflaie32.exe File created C:\Windows\SysWOW64\Aggamk32.dll Bifmqo32.exe File created C:\Windows\SysWOW64\Fkkceedp.dll Ejchhgid.exe File created C:\Windows\SysWOW64\Mnmmboed.exe Mgbefe32.exe File created C:\Windows\SysWOW64\Deaiemli.dll Pidlqb32.exe File created C:\Windows\SysWOW64\Lehhlb32.dll Idghpmnp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7448 7796 WerFault.exe 1025 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgonidg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomjicei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglklggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqncnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjdikqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfcaohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhamkipi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejkmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcelpggq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikejgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giljfddl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbdki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffclcgfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblajhje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahchda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknkpjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeapcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfheof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjedffig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqglkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlbhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkoim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackigjmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfahbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloqml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loofnccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfqmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljceqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjkic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniihmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmchoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiggbhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjellmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkepaam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdlmg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanpdgfl.dll" Kolabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnkkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiodpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpfbb32.dll" Kjjiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bafndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhomfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iangld32.dll" Inomhbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmchiim.dll" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackigjmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faikapbo.dll" Aanbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbmqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipecicga.dll" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inagcf32.dll" Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copdgb32.dll" Poliea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhgkmpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpehof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpfjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggbook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqqpck32.dll" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbajeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gijekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknajfhe.dll" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Fndpmndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfaigclq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnkapdda.dll" Ajdjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpldkpc.dll" Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll" Hajpbckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemilf32.dll" Bfngdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phganm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfnpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjknfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhqcgnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobilkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpodlbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpiopih.dll" Qlgpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofimgb32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlgcl32.dll" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll" Cacmpj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 4300 1392 4132e397d7c7ab9a3fef03f4292f8470N.exe 85 PID 1392 wrote to memory of 4300 1392 4132e397d7c7ab9a3fef03f4292f8470N.exe 85 PID 1392 wrote to memory of 4300 1392 4132e397d7c7ab9a3fef03f4292f8470N.exe 85 PID 4300 wrote to memory of 4448 4300 Qfbobf32.exe 86 PID 4300 wrote to memory of 4448 4300 Qfbobf32.exe 86 PID 4300 wrote to memory of 4448 4300 Qfbobf32.exe 86 PID 4448 wrote to memory of 3748 4448 Qhakoa32.exe 87 PID 4448 wrote to memory of 3748 4448 Qhakoa32.exe 87 PID 4448 wrote to memory of 3748 4448 Qhakoa32.exe 87 PID 3748 wrote to memory of 2704 3748 Qqhcpo32.exe 89 PID 3748 wrote to memory of 2704 3748 Qqhcpo32.exe 89 PID 3748 wrote to memory of 2704 3748 Qqhcpo32.exe 89 PID 2704 wrote to memory of 1308 2704 Acgolj32.exe 90 PID 2704 wrote to memory of 1308 2704 Acgolj32.exe 90 PID 2704 wrote to memory of 1308 2704 Acgolj32.exe 90 PID 1308 wrote to memory of 2600 1308 Ajqgidij.exe 91 PID 1308 wrote to memory of 2600 1308 Ajqgidij.exe 91 PID 1308 wrote to memory of 2600 1308 Ajqgidij.exe 91 PID 2600 wrote to memory of 4028 2600 Ahchda32.exe 92 PID 2600 wrote to memory of 4028 2600 Ahchda32.exe 92 PID 2600 wrote to memory of 4028 2600 Ahchda32.exe 92 PID 4028 wrote to memory of 4032 4028 Aqkpeopg.exe 93 PID 4028 wrote to memory of 4032 4028 Aqkpeopg.exe 93 PID 4028 wrote to memory of 4032 4028 Aqkpeopg.exe 93 PID 4032 wrote to memory of 3808 4032 Aompak32.exe 94 PID 4032 wrote to memory of 3808 4032 Aompak32.exe 94 PID 4032 wrote to memory of 3808 4032 Aompak32.exe 94 PID 3808 wrote to memory of 920 3808 Agdhbi32.exe 95 PID 3808 wrote to memory of 920 3808 Agdhbi32.exe 95 PID 3808 wrote to memory of 920 3808 Agdhbi32.exe 95 PID 920 wrote to memory of 4108 920 Afghneoo.exe 96 PID 920 wrote to memory of 4108 920 Afghneoo.exe 96 PID 920 wrote to memory of 4108 920 Afghneoo.exe 96 PID 4108 wrote to memory of 5060 4108 Ahfdjanb.exe 97 PID 4108 wrote to memory of 5060 4108 Ahfdjanb.exe 97 PID 4108 wrote to memory of 5060 4108 Ahfdjanb.exe 97 PID 5060 wrote to memory of 2476 5060 Aqmlknnd.exe 98 PID 5060 wrote to memory of 2476 5060 Aqmlknnd.exe 98 PID 5060 wrote to memory of 2476 5060 Aqmlknnd.exe 98 PID 2476 wrote to memory of 4288 2476 Aopmfk32.exe 99 PID 2476 wrote to memory of 4288 2476 Aopmfk32.exe 99 PID 2476 wrote to memory of 4288 2476 Aopmfk32.exe 99 PID 4288 wrote to memory of 2448 4288 Ackigjmh.exe 100 PID 4288 wrote to memory of 2448 4288 Ackigjmh.exe 100 PID 4288 wrote to memory of 2448 4288 Ackigjmh.exe 100 PID 2448 wrote to memory of 780 2448 Afjeceml.exe 101 PID 2448 wrote to memory of 780 2448 Afjeceml.exe 101 PID 2448 wrote to memory of 780 2448 Afjeceml.exe 101 PID 780 wrote to memory of 768 780 Aihaoqlp.exe 102 PID 780 wrote to memory of 768 780 Aihaoqlp.exe 102 PID 780 wrote to memory of 768 780 Aihaoqlp.exe 102 PID 768 wrote to memory of 4412 768 Aqoiqn32.exe 103 PID 768 wrote to memory of 4412 768 Aqoiqn32.exe 103 PID 768 wrote to memory of 4412 768 Aqoiqn32.exe 103 PID 4412 wrote to memory of 3316 4412 Aobilkcl.exe 104 PID 4412 wrote to memory of 3316 4412 Aobilkcl.exe 104 PID 4412 wrote to memory of 3316 4412 Aobilkcl.exe 104 PID 3316 wrote to memory of 1492 3316 Acnemi32.exe 105 PID 3316 wrote to memory of 1492 3316 Acnemi32.exe 105 PID 3316 wrote to memory of 1492 3316 Acnemi32.exe 105 PID 1492 wrote to memory of 3076 1492 Aflaie32.exe 106 PID 1492 wrote to memory of 3076 1492 Aflaie32.exe 106 PID 1492 wrote to memory of 3076 1492 Aflaie32.exe 106 PID 3076 wrote to memory of 4852 3076 Ajhniccb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4132e397d7c7ab9a3fef03f4292f8470N.exe"C:\Users\Admin\AppData\Local\Temp\4132e397d7c7ab9a3fef03f4292f8470N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe23⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe24⤵
- Executes dropped EXE
PID:3592 -
C:\Windows\SysWOW64\Aodfajaj.exeC:\Windows\system32\Aodfajaj.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4836 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe28⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe29⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe30⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe32⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe33⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe36⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe37⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe41⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe42⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Bmomlnjk.exeC:\Windows\system32\Bmomlnjk.exe44⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe45⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe46⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe47⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4132 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe50⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe51⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe52⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe53⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe54⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe55⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe56⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe57⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe58⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe59⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe60⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe61⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe62⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe63⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe64⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe65⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe66⤵PID:1164
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe67⤵PID:5056
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe68⤵PID:1212
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe69⤵PID:3228
-
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe70⤵PID:1520
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe72⤵PID:1908
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe73⤵PID:4388
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe74⤵PID:3616
-
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe75⤵PID:4344
-
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe76⤵PID:1708
-
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe77⤵
- Drops file in System32 directory
PID:3408 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe78⤵PID:3328
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe80⤵PID:4536
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe81⤵PID:5156
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:5192 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe83⤵PID:5228
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe84⤵PID:5264
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe85⤵PID:5300
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe86⤵
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe88⤵PID:5408
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe89⤵PID:5444
-
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe90⤵PID:5480
-
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe91⤵PID:5516
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe93⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe94⤵
- Modifies registry class
PID:5624 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe95⤵PID:5660
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe96⤵PID:5696
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe97⤵PID:5732
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe98⤵PID:5768
-
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe99⤵PID:5804
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe100⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe101⤵PID:320
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe102⤵PID:2396
-
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe103⤵PID:5144
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe104⤵PID:2836
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe105⤵
- Drops file in System32 directory
PID:5276 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe106⤵PID:5324
-
C:\Windows\SysWOW64\Fagjfflb.exeC:\Windows\system32\Fagjfflb.exe107⤵PID:3932
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe108⤵PID:5440
-
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe109⤵PID:5504
-
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5576 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe111⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe112⤵PID:5716
-
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe113⤵PID:5824
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe114⤵PID:3940
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe115⤵PID:5992
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe116⤵PID:5068
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe117⤵
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe118⤵PID:4844
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe119⤵PID:2236
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe120⤵PID:6132
-
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe121⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-