Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/08/2024, 00:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe
-
Size
63KB
-
MD5
7aa6b094e2a8add422b8745eff003a0e
-
SHA1
3c8245c0d864954fb8fc38b5034d5b32c47362dd
-
SHA256
91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9
-
SHA512
c484805de6f265d4f5183fb9ba58efbee04f7cb22d92e8314a85cd586adca3464bc4fca52dff0b4864a971d48ea413083c5b7d0701dfdd8d695e5eea7cd0b5cd
-
SSDEEP
1536:oBtU39aSkwk/HEVu1Qh3jdS5ywK32++++++++++++++++++++++++++++++++++/:gUgSRkX2hTdSXLUo5k9DHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emelkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqohogac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfnehpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idleal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkgnqlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmmdgaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfhho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echgnaqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fldlbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anipoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfjlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkniob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peningop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfghoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjnecif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpfop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpkmfhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnoehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lipqjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qelodood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingnjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inndjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiameofb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoqdead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piooiecd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdlja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccokqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdjod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcggaahl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldcbgja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjeaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmqbpiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjghekda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anipoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeceenil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfnhhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encebkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbdgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplnigpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhpnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeobdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdjla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcijqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olnhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeceenil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glodck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glodck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfjdjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcjmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnibn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhaja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqoohipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfjlh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihcfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbddoohl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlcjli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkencj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pladqp32.exe -
Executes dropped EXE 64 IoCs
pid Process 4432 Bcfoelbm.exe 892 Bfdkahba.exe 4208 Bichmcae.exe 3780 Bpmpjm32.exe 2996 Cgdhkk32.exe 1664 Cjbdgf32.exe 1360 Calldppd.exe 1308 Cpomom32.exe 1936 Cjeamffe.exe 4176 Cmcmiaei.exe 1824 Ccmeek32.exe 760 Cjgnbedb.exe 684 Caafop32.exe 776 Cgknlj32.exe 2276 Ciljcbij.exe 4336 Cacbdoil.exe 5000 Ccboqkhp.exe 4892 Cfpkmfhd.exe 2192 Cmjcip32.exe 3192 Cpipel32.exe 1136 Dcdkfjfm.exe 3508 Dfbhbf32.exe 2732 Diadna32.exe 3536 Dpklkkla.exe 2292 Dfedhe32.exe 1624 Dajien32.exe 4524 Dhdabhka.exe 4192 Djcmnd32.exe 1388 Dmaijo32.exe 5052 Dameknaa.exe 1912 Dppefk32.exe 4576 Djejcc32.exe 3064 Dpbblj32.exe 3240 Dijgdpmj.exe 2116 Daaofm32.exe 2956 Edpkbi32.exe 1244 Ejjcocdm.exe 3924 Edbhgh32.exe 564 Eafhamig.exe 3116 Edddmhhk.exe 2984 Efcqicgo.exe 4044 Eiameofb.exe 3396 Eaheflgd.exe 3108 Epkebi32.exe 4808 Edgabhfh.exe 2156 Efemocel.exe 4540 Eicjkodp.exe 2836 Eakall32.exe 2988 Edinhg32.exe 4116 Ehejifmo.exe 2900 Eiffpn32.exe 3504 Emabamkf.exe 3904 Fppomhjj.exe 1700 Fhgfnfjl.exe 708 Ffjgjb32.exe 3760 Fihcfn32.exe 4460 Fapkgk32.exe 1808 Fpbkbhhg.exe 4016 Fdngcgpp.exe 3676 Fflcobod.exe 836 Fkhppa32.exe 4992 Fmflll32.exe 3936 Fabhmkoj.exe 1100 Fhlpie32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bfibaopp.dll Dekpjeol.exe File created C:\Windows\SysWOW64\Fabhmkoj.exe Fmflll32.exe File opened for modification C:\Windows\SysWOW64\Jjlkpgdp.exe Jgnndk32.exe File created C:\Windows\SysWOW64\Nankkk32.exe Noooop32.exe File created C:\Windows\SysWOW64\Eemckf32.dll Bbofpdng.exe File opened for modification C:\Windows\SysWOW64\Chipif32.exe Cfjdmj32.exe File opened for modification C:\Windows\SysWOW64\Dmbhkb32.exe Dekpjeol.exe File created C:\Windows\SysWOW64\Adgbjmge.dll Hlpddpee.exe File created C:\Windows\SysWOW64\Mjleclco.exe Mgnigpdk.exe File created C:\Windows\SysWOW64\Jiqjdm32.dll Mnjnij32.exe File opened for modification C:\Windows\SysWOW64\Plldkjnl.exe Pdeljmnj.exe File opened for modification C:\Windows\SysWOW64\Bnepjopp.exe Bkfcnc32.exe File created C:\Windows\SysWOW64\Lqjipd32.dll Conojq32.exe File created C:\Windows\SysWOW64\Dfedhe32.exe Dpklkkla.exe File created C:\Windows\SysWOW64\Mlojqi32.dll Llnmfg32.exe File created C:\Windows\SysWOW64\Qggmmegi.dll Bnepjopp.exe File created C:\Windows\SysWOW64\Phmejbnd.exe Peningop.exe File created C:\Windows\SysWOW64\Qieejd32.exe Qaomif32.exe File opened for modification C:\Windows\SysWOW64\Aceochmd.exe Alkggn32.exe File created C:\Windows\SysWOW64\Eadmil32.dll Cclnke32.exe File opened for modification C:\Windows\SysWOW64\Medmqj32.exe Mbfado32.exe File opened for modification C:\Windows\SysWOW64\Ejnfol32.exe Ebgnnokj.exe File created C:\Windows\SysWOW64\Hhilbl32.dll Ncicgqfj.exe File opened for modification C:\Windows\SysWOW64\Oeiiha32.exe Oammgbgq.exe File created C:\Windows\SysWOW64\Encebkem.exe Dkehfofi.exe File opened for modification C:\Windows\SysWOW64\Ijiecide.exe Hkfdhm32.exe File created C:\Windows\SysWOW64\Kihhcf32.dll Qkdnafaa.exe File opened for modification C:\Windows\SysWOW64\Almmbh32.exe Adeeqj32.exe File opened for modification C:\Windows\SysWOW64\Bkdfhd32.exe Bhfjlh32.exe File created C:\Windows\SysWOW64\Fekiqbaj.exe Fbmmdgaf.exe File created C:\Windows\SysWOW64\Dppefk32.exe Dameknaa.exe File opened for modification C:\Windows\SysWOW64\Djejcc32.exe Dppefk32.exe File opened for modification C:\Windows\SysWOW64\Emjefhmb.exe Ejkijlno.exe File created C:\Windows\SysWOW64\Hifacc32.exe Hghegh32.exe File created C:\Windows\SysWOW64\Lqeeihin.exe Lmjiii32.exe File created C:\Windows\SysWOW64\Ackapkkn.dll Dbcagkhc.exe File created C:\Windows\SysWOW64\Mehmbbqe.dll Donhanae.exe File created C:\Windows\SysWOW64\Klbfcdmg.dll Caafop32.exe File opened for modification C:\Windows\SysWOW64\Ajjnecif.exe Aeobdd32.exe File opened for modification C:\Windows\SysWOW64\Bdohgi32.exe Baqlkn32.exe File opened for modification C:\Windows\SysWOW64\Qlcjli32.exe Qdlbkl32.exe File created C:\Windows\SysWOW64\Hhnbfk32.dll Lbckha32.exe File opened for modification C:\Windows\SysWOW64\Nkmedp32.exe Nhoihd32.exe File created C:\Windows\SysWOW64\Hpegajia.dll Phobob32.exe File opened for modification C:\Windows\SysWOW64\Dkoipfpm.exe Dipmdkai.exe File created C:\Windows\SysWOW64\Bqndlefa.dll Hkjnbhdl.exe File created C:\Windows\SysWOW64\Ommgldbm.exe Onjgph32.exe File created C:\Windows\SysWOW64\Illcqn32.exe Ikjgie32.exe File created C:\Windows\SysWOW64\Liplfa32.dll Jkamid32.exe File created C:\Windows\SysWOW64\Negegkdo.dll Dffchi32.exe File created C:\Windows\SysWOW64\Gfdhqd32.exe Gnmqpg32.exe File opened for modification C:\Windows\SysWOW64\Ljlcgd32.exe Kikgolpo.exe File opened for modification C:\Windows\SysWOW64\Olfeea32.exe Oighif32.exe File opened for modification C:\Windows\SysWOW64\Nhglmolp.exe Nckpmpdg.exe File created C:\Windows\SysWOW64\Ofgfpgpe.dll Podjffcg.exe File opened for modification C:\Windows\SysWOW64\Gdjgoefc.exe Gmpobk32.exe File created C:\Windows\SysWOW64\Cmhchomj.dll Haigdh32.exe File created C:\Windows\SysWOW64\Gmadmd32.exe Gkchai32.exe File created C:\Windows\SysWOW64\Mcpqabnd.exe Memqee32.exe File created C:\Windows\SysWOW64\Fhlpie32.exe Fabhmkoj.exe File opened for modification C:\Windows\SysWOW64\Dmnfjigp.exe Djpinnhl.exe File created C:\Windows\SysWOW64\Domnmk32.dll Hlbajo32.exe File opened for modification C:\Windows\SysWOW64\Jqfcmq32.exe Jjlkpgdp.exe File created C:\Windows\SysWOW64\Kbhllc32.exe Kjqdkfpj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15692 15612 WerFault.exe 839 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndhmjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihoompho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjgadgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddfip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgnbedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfajminj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glodck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqoohipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakiiqkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpqbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdjod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icelmhcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naamld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncllmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmihal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahpoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgcllhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeglbaal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gignhokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgbhokqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjlmblc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqoogcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qheaekbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjbmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikkobnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colbeaaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdfnfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhinlned.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjqklilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmpiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkfjfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmedp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpkgnqlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalbpnln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdjnljka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filolqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diadna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbllqejj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plldkjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeobdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emelkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmohbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idnbflpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnkelhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkpokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiconfma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccokqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnmcl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inndjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eboahp32.dll" Medmqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aolphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooamagfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keomkeoe.dll" Bichmcae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlaflkam.dll" Fibflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjimh32.dll" Inndjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Banoenjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efkmchfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fapkgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlelnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oighif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkniob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnocdlho.dll" Cfejakhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlbkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gabqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdiqb32.dll" Obkcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihofka32.dll" Bcehjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfjhabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjbjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnaiod32.dll" Cmjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fddfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoaim32.dll" Mekcpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeceenil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fabhmkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglbmffe.dll" Kjjgadgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Himome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdfnhhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolphi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdhaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijadhq32.dll" Mlnocnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnhfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafhamig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naealjbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkijlno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbpjjgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edpkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nankkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npeocl32.dll" Pkpkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchhko32.dll" Ffpfpkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjqklilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkilaakf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjleclco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonlbl32.dll" Cacbdoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejadefdi.dll" Dpklkkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Medmqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epfelcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpajd32.dll" Filefgii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfibaopp.dll" Dekpjeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciljcbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmaem32.dll" Lqmkjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leaoci32.dll" Akmqheif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmdfcanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loogbkag.dll" Dijgdpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emabamkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edlllj32.dll" Gfbbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdicgjgl.dll" Hghegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqelbjgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjbpgcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacmjbdb.dll" Aljplh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmaijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekbmmha.dll" Gdqmpd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 556 wrote to memory of 4432 556 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 83 PID 556 wrote to memory of 4432 556 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 83 PID 556 wrote to memory of 4432 556 91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe 83 PID 4432 wrote to memory of 892 4432 Bcfoelbm.exe 84 PID 4432 wrote to memory of 892 4432 Bcfoelbm.exe 84 PID 4432 wrote to memory of 892 4432 Bcfoelbm.exe 84 PID 892 wrote to memory of 4208 892 Bfdkahba.exe 86 PID 892 wrote to memory of 4208 892 Bfdkahba.exe 86 PID 892 wrote to memory of 4208 892 Bfdkahba.exe 86 PID 4208 wrote to memory of 3780 4208 Bichmcae.exe 87 PID 4208 wrote to memory of 3780 4208 Bichmcae.exe 87 PID 4208 wrote to memory of 3780 4208 Bichmcae.exe 87 PID 3780 wrote to memory of 2996 3780 Bpmpjm32.exe 88 PID 3780 wrote to memory of 2996 3780 Bpmpjm32.exe 88 PID 3780 wrote to memory of 2996 3780 Bpmpjm32.exe 88 PID 2996 wrote to memory of 1664 2996 Cgdhkk32.exe 89 PID 2996 wrote to memory of 1664 2996 Cgdhkk32.exe 89 PID 2996 wrote to memory of 1664 2996 Cgdhkk32.exe 89 PID 1664 wrote to memory of 1360 1664 Cjbdgf32.exe 91 PID 1664 wrote to memory of 1360 1664 Cjbdgf32.exe 91 PID 1664 wrote to memory of 1360 1664 Cjbdgf32.exe 91 PID 1360 wrote to memory of 1308 1360 Calldppd.exe 92 PID 1360 wrote to memory of 1308 1360 Calldppd.exe 92 PID 1360 wrote to memory of 1308 1360 Calldppd.exe 92 PID 1308 wrote to memory of 1936 1308 Cpomom32.exe 93 PID 1308 wrote to memory of 1936 1308 Cpomom32.exe 93 PID 1308 wrote to memory of 1936 1308 Cpomom32.exe 93 PID 1936 wrote to memory of 4176 1936 Cjeamffe.exe 94 PID 1936 wrote to memory of 4176 1936 Cjeamffe.exe 94 PID 1936 wrote to memory of 4176 1936 Cjeamffe.exe 94 PID 4176 wrote to memory of 1824 4176 Cmcmiaei.exe 96 PID 4176 wrote to memory of 1824 4176 Cmcmiaei.exe 96 PID 4176 wrote to memory of 1824 4176 Cmcmiaei.exe 96 PID 1824 wrote to memory of 760 1824 Ccmeek32.exe 97 PID 1824 wrote to memory of 760 1824 Ccmeek32.exe 97 PID 1824 wrote to memory of 760 1824 Ccmeek32.exe 97 PID 760 wrote to memory of 684 760 Cjgnbedb.exe 98 PID 760 wrote to memory of 684 760 Cjgnbedb.exe 98 PID 760 wrote to memory of 684 760 Cjgnbedb.exe 98 PID 684 wrote to memory of 776 684 Caafop32.exe 99 PID 684 wrote to memory of 776 684 Caafop32.exe 99 PID 684 wrote to memory of 776 684 Caafop32.exe 99 PID 776 wrote to memory of 2276 776 Cgknlj32.exe 100 PID 776 wrote to memory of 2276 776 Cgknlj32.exe 100 PID 776 wrote to memory of 2276 776 Cgknlj32.exe 100 PID 2276 wrote to memory of 4336 2276 Ciljcbij.exe 101 PID 2276 wrote to memory of 4336 2276 Ciljcbij.exe 101 PID 2276 wrote to memory of 4336 2276 Ciljcbij.exe 101 PID 4336 wrote to memory of 5000 4336 Cacbdoil.exe 102 PID 4336 wrote to memory of 5000 4336 Cacbdoil.exe 102 PID 4336 wrote to memory of 5000 4336 Cacbdoil.exe 102 PID 5000 wrote to memory of 4892 5000 Ccboqkhp.exe 103 PID 5000 wrote to memory of 4892 5000 Ccboqkhp.exe 103 PID 5000 wrote to memory of 4892 5000 Ccboqkhp.exe 103 PID 4892 wrote to memory of 2192 4892 Cfpkmfhd.exe 104 PID 4892 wrote to memory of 2192 4892 Cfpkmfhd.exe 104 PID 4892 wrote to memory of 2192 4892 Cfpkmfhd.exe 104 PID 2192 wrote to memory of 3192 2192 Cmjcip32.exe 105 PID 2192 wrote to memory of 3192 2192 Cmjcip32.exe 105 PID 2192 wrote to memory of 3192 2192 Cmjcip32.exe 105 PID 3192 wrote to memory of 1136 3192 Cpipel32.exe 106 PID 3192 wrote to memory of 1136 3192 Cpipel32.exe 106 PID 3192 wrote to memory of 1136 3192 Cpipel32.exe 106 PID 1136 wrote to memory of 3508 1136 Dcdkfjfm.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe"C:\Users\Admin\AppData\Local\Temp\91106028264c3df16ff75332a5935db2c945a62d511a6e4ea7a738451847aed9.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Bcfoelbm.exeC:\Windows\system32\Bcfoelbm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Bfdkahba.exeC:\Windows\system32\Bfdkahba.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Bichmcae.exeC:\Windows\system32\Bichmcae.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Bpmpjm32.exeC:\Windows\system32\Bpmpjm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Cgdhkk32.exeC:\Windows\system32\Cgdhkk32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Cjbdgf32.exeC:\Windows\system32\Cjbdgf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Calldppd.exeC:\Windows\system32\Calldppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Cpomom32.exeC:\Windows\system32\Cpomom32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Cjeamffe.exeC:\Windows\system32\Cjeamffe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Cmcmiaei.exeC:\Windows\system32\Cmcmiaei.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Ccmeek32.exeC:\Windows\system32\Ccmeek32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Caafop32.exeC:\Windows\system32\Caafop32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Ciljcbij.exeC:\Windows\system32\Ciljcbij.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cacbdoil.exeC:\Windows\system32\Cacbdoil.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Ccboqkhp.exeC:\Windows\system32\Ccboqkhp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Cfpkmfhd.exeC:\Windows\system32\Cfpkmfhd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Cmjcip32.exeC:\Windows\system32\Cmjcip32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Cpipel32.exeC:\Windows\system32\Cpipel32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Dcdkfjfm.exeC:\Windows\system32\Dcdkfjfm.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Dfbhbf32.exeC:\Windows\system32\Dfbhbf32.exe23⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe26⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Dajien32.exeC:\Windows\system32\Dajien32.exe27⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dhdabhka.exeC:\Windows\system32\Dhdabhka.exe28⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Djcmnd32.exeC:\Windows\system32\Djcmnd32.exe29⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Dmaijo32.exeC:\Windows\system32\Dmaijo32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Dameknaa.exeC:\Windows\system32\Dameknaa.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Dppefk32.exeC:\Windows\system32\Dppefk32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Djejcc32.exeC:\Windows\system32\Djejcc32.exe33⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Dpbblj32.exeC:\Windows\system32\Dpbblj32.exe34⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Dijgdpmj.exeC:\Windows\system32\Dijgdpmj.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Daaofm32.exeC:\Windows\system32\Daaofm32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ejjcocdm.exeC:\Windows\system32\Ejjcocdm.exe38⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Edbhgh32.exeC:\Windows\system32\Edbhgh32.exe39⤵
- Executes dropped EXE
PID:3924 -
C:\Windows\SysWOW64\Eafhamig.exeC:\Windows\system32\Eafhamig.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Edddmhhk.exeC:\Windows\system32\Edddmhhk.exe41⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Efcqicgo.exeC:\Windows\system32\Efcqicgo.exe42⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Eiameofb.exeC:\Windows\system32\Eiameofb.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Eaheflgd.exeC:\Windows\system32\Eaheflgd.exe44⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Epkebi32.exeC:\Windows\system32\Epkebi32.exe45⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Edgabhfh.exeC:\Windows\system32\Edgabhfh.exe46⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Efemocel.exeC:\Windows\system32\Efemocel.exe47⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe48⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Eakall32.exeC:\Windows\system32\Eakall32.exe49⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Edinhg32.exeC:\Windows\system32\Edinhg32.exe50⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Ehejifmo.exeC:\Windows\system32\Ehejifmo.exe51⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Emabamkf.exeC:\Windows\system32\Emabamkf.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe54⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe55⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ffjgjb32.exeC:\Windows\system32\Ffjgjb32.exe56⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Fihcfn32.exeC:\Windows\system32\Fihcfn32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Fpbkbhhg.exeC:\Windows\system32\Fpbkbhhg.exe59⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fdngcgpp.exeC:\Windows\system32\Fdngcgpp.exe60⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Fflcobod.exeC:\Windows\system32\Fflcobod.exe61⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Fkhppa32.exeC:\Windows\system32\Fkhppa32.exe62⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Fmflll32.exeC:\Windows\system32\Fmflll32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4992 -
C:\Windows\SysWOW64\Fabhmkoj.exeC:\Windows\system32\Fabhmkoj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Fhlpie32.exeC:\Windows\system32\Fhlpie32.exe65⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Fgopebma.exeC:\Windows\system32\Fgopebma.exe66⤵PID:916
-
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe67⤵PID:3380
-
C:\Windows\SysWOW64\Fmihal32.exeC:\Windows\system32\Fmihal32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\Faddbkmg.exeC:\Windows\system32\Faddbkmg.exe69⤵PID:1768
-
C:\Windows\SysWOW64\Fdbqnflk.exeC:\Windows\system32\Fdbqnflk.exe70⤵PID:3740
-
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe71⤵PID:4636
-
C:\Windows\SysWOW64\Fioifm32.exeC:\Windows\system32\Fioifm32.exe72⤵PID:2056
-
C:\Windows\SysWOW64\Fafahj32.exeC:\Windows\system32\Fafahj32.exe73⤵PID:2496
-
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe74⤵PID:1472
-
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe75⤵PID:224
-
C:\Windows\SysWOW64\Fibflm32.exeC:\Windows\system32\Fibflm32.exe76⤵
- Modifies registry class
PID:4480 -
C:\Windows\SysWOW64\Gplnigpl.exeC:\Windows\system32\Gplnigpl.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4252 -
C:\Windows\SysWOW64\Gmpobk32.exeC:\Windows\system32\Gmpobk32.exe78⤵
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Gdjgoefc.exeC:\Windows\system32\Gdjgoefc.exe79⤵PID:1652
-
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe80⤵PID:2752
-
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe81⤵PID:4940
-
C:\Windows\SysWOW64\Ganghiel.exeC:\Windows\system32\Ganghiel.exe82⤵PID:4156
-
C:\Windows\SysWOW64\Ghgpec32.exeC:\Windows\system32\Ghgpec32.exe83⤵PID:180
-
C:\Windows\SysWOW64\Gkflaokm.exeC:\Windows\system32\Gkflaokm.exe84⤵PID:1976
-
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe85⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe86⤵PID:2484
-
C:\Windows\SysWOW64\Ggmlfp32.exeC:\Windows\system32\Ggmlfp32.exe87⤵PID:3020
-
C:\Windows\SysWOW64\Gabqci32.exeC:\Windows\system32\Gabqci32.exe88⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Gdqmpd32.exeC:\Windows\system32\Gdqmpd32.exe89⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Hadmihod.exeC:\Windows\system32\Hadmihod.exe90⤵PID:2736
-
C:\Windows\SysWOW64\Hgafaoml.exeC:\Windows\system32\Hgafaoml.exe91⤵PID:1072
-
C:\Windows\SysWOW64\Hjpbmklp.exeC:\Windows\system32\Hjpbmklp.exe92⤵PID:2472
-
C:\Windows\SysWOW64\Hagjohma.exeC:\Windows\system32\Hagjohma.exe93⤵PID:3632
-
C:\Windows\SysWOW64\Hdefkcle.exeC:\Windows\system32\Hdefkcle.exe94⤵PID:5036
-
C:\Windows\SysWOW64\Haigdh32.exeC:\Windows\system32\Haigdh32.exe95⤵
- Drops file in System32 directory
PID:3604 -
C:\Windows\SysWOW64\Hgfolo32.exeC:\Windows\system32\Hgfolo32.exe96⤵PID:428
-
C:\Windows\SysWOW64\Hjdkhj32.exeC:\Windows\system32\Hjdkhj32.exe97⤵PID:808
-
C:\Windows\SysWOW64\Halcjg32.exeC:\Windows\system32\Halcjg32.exe98⤵PID:5132
-
C:\Windows\SysWOW64\Hdjpfc32.exeC:\Windows\system32\Hdjpfc32.exe99⤵PID:5168
-
C:\Windows\SysWOW64\Hanpoggj.exeC:\Windows\system32\Hanpoggj.exe100⤵PID:5224
-
C:\Windows\SysWOW64\Hpaqkd32.exeC:\Windows\system32\Hpaqkd32.exe101⤵PID:5268
-
C:\Windows\SysWOW64\Hhhhla32.exeC:\Windows\system32\Hhhhla32.exe102⤵PID:5316
-
C:\Windows\SysWOW64\Hkfdhm32.exeC:\Windows\system32\Hkfdhm32.exe103⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Ijiecide.exeC:\Windows\system32\Ijiecide.exe104⤵PID:5404
-
C:\Windows\SysWOW64\Idoiabdk.exeC:\Windows\system32\Idoiabdk.exe105⤵PID:5448
-
C:\Windows\SysWOW64\Ihjeaa32.exeC:\Windows\system32\Ihjeaa32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Igmemnco.exeC:\Windows\system32\Igmemnco.exe107⤵PID:5532
-
C:\Windows\SysWOW64\Ingnjh32.exeC:\Windows\system32\Ingnjh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5580 -
C:\Windows\SysWOW64\Iqejfc32.exeC:\Windows\system32\Iqejfc32.exe109⤵PID:5624
-
C:\Windows\SysWOW64\Idaffb32.exeC:\Windows\system32\Idaffb32.exe110⤵PID:5668
-
C:\Windows\SysWOW64\Igpbbm32.exeC:\Windows\system32\Igpbbm32.exe111⤵PID:5712
-
C:\Windows\SysWOW64\Ijnnoi32.exeC:\Windows\system32\Ijnnoi32.exe112⤵PID:5756
-
C:\Windows\SysWOW64\Iaefpf32.exeC:\Windows\system32\Iaefpf32.exe113⤵PID:5800
-
C:\Windows\SysWOW64\Idcbla32.exeC:\Windows\system32\Idcbla32.exe114⤵PID:5844
-
C:\Windows\SysWOW64\Ihoompho.exeC:\Windows\system32\Ihoompho.exe115⤵
- System Location Discovery: System Language Discovery
PID:5888 -
C:\Windows\SysWOW64\Ikmkilgb.exeC:\Windows\system32\Ikmkilgb.exe116⤵PID:5932
-
C:\Windows\SysWOW64\Inlgegff.exeC:\Windows\system32\Inlgegff.exe117⤵PID:5976
-
C:\Windows\SysWOW64\Ibgcef32.exeC:\Windows\system32\Ibgcef32.exe118⤵PID:6012
-
C:\Windows\SysWOW64\Idfoaa32.exeC:\Windows\system32\Idfoaa32.exe119⤵PID:6060
-
C:\Windows\SysWOW64\Igdknmmf.exeC:\Windows\system32\Igdknmmf.exe120⤵PID:6104
-
C:\Windows\SysWOW64\Inndjg32.exeC:\Windows\system32\Inndjg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-