Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 10:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09ba858aabf2f97a0a38caef4a83fe40N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
09ba858aabf2f97a0a38caef4a83fe40N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
09ba858aabf2f97a0a38caef4a83fe40N.exe
-
Size
94KB
-
MD5
09ba858aabf2f97a0a38caef4a83fe40
-
SHA1
6a56ee2a6d5be016f1ef9c440d860c9920c44174
-
SHA256
e03bacd92d269b7414f9b092eefc74d630799eda3751e032e1a0cde3c2b92bd7
-
SHA512
fd2d4e6c4860656a567d4be1f8827bc759321b864475117b59032c8a8f215837933ffb189c1afbd3352b5b40b38f829ed7fde1be361a891a9002272e87326793
-
SSDEEP
1536:Rf1tt8GM/hzjZa9Z7gF7VXHodlrevGyyVDQx1XFQImUiEj8E1PkALubWlgmtG7yR:Jk589BgXInrIGuXj4NbWlgmE7yW56+ob
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdcfidg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqnbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpimlfke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijegcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qebhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcjcnoej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ondljl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnaqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknobkje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoabad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knflpoqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nelfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmieae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedafk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfcipoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijfnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikcmbfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oadfkdgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfchlbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inlihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjpnlbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalipoiq.exe -
Executes dropped EXE 64 IoCs
pid Process 2680 Gahcmd32.exe 4756 Hhbkinel.exe 1548 Hkpheidp.exe 1392 Hjchaf32.exe 3564 Hpmpnp32.exe 4768 Hhdhon32.exe 3128 Hkbdki32.exe 4980 Hnaqgd32.exe 3836 Hpomcp32.exe 2352 Hgiepjga.exe 2716 Hkeaqi32.exe 4596 Hncmmd32.exe 2356 Hpbiip32.exe 3316 Hhiajmod.exe 4748 Hjjnae32.exe 1792 Haafcb32.exe 1656 Hhknpmma.exe 2320 Hkjjlhle.exe 3148 Hnhghcki.exe 3184 Idbodn32.exe 3976 Ijogmdqm.exe 4512 Iafonaao.exe 4836 Iddljmpc.exe 772 Igchfiof.exe 3872 Ijadbdoj.exe 4700 Iahlcaol.exe 1596 Iqklon32.exe 1396 Ihbdplfi.exe 212 Ikqqlgem.exe 2016 Inomhbeq.exe 5064 Iakiia32.exe 228 Idieem32.exe 5020 Ikcmbfcj.exe 2876 Ijfnmc32.exe 3848 Iqpfjnba.exe 4988 Ijhjcchb.exe 3112 Ibobdqid.exe 4804 Jdnoplhh.exe 1616 Jkhgmf32.exe 1756 Jjjghcfp.exe 3720 Jbaojpgb.exe 2208 Jdpkflfe.exe 3080 Jhlgfj32.exe 2804 Jkjcbe32.exe 5100 Jnhpoamf.exe 1540 Jqglkmlj.exe 444 Jhndljll.exe 932 Jklphekp.exe 4696 Jnkldqkc.exe 1492 Jqiipljg.exe 352 Jhpqaiji.exe 3644 Jgcamf32.exe 3680 Jjamia32.exe 4792 Jbiejoaj.exe 2776 Jdgafjpn.exe 4348 Jgenbfoa.exe 3860 Jjdjoane.exe 392 Jbkbpoog.exe 4552 Kqnbkl32.exe 4688 Kiejmi32.exe 2036 Kjffdalb.exe 1244 Kbmoen32.exe 3700 Kelkaj32.exe 4780 Kgjgne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iocedcbl.dll Amcehdod.exe File created C:\Windows\SysWOW64\Boflmdkk.exe Bkkple32.exe File opened for modification C:\Windows\SysWOW64\Ccgjopal.exe Ckpbnb32.exe File created C:\Windows\SysWOW64\Eleepoob.exe Eblpgjha.exe File created C:\Windows\SysWOW64\Mohjdmko.dll Mnhkbfme.exe File created C:\Windows\SysWOW64\Ffkclmbd.dll Hjjnae32.exe File created C:\Windows\SysWOW64\Fpbfpack.dll Jdpkflfe.exe File created C:\Windows\SysWOW64\Oeaoab32.exe Obcceg32.exe File created C:\Windows\SysWOW64\Ecqieiii.dll Ajpqnneo.exe File created C:\Windows\SysWOW64\Clgbmp32.exe Cdpjlb32.exe File created C:\Windows\SysWOW64\Hpaolmbc.dll Afgacokc.exe File opened for modification C:\Windows\SysWOW64\Cfldelik.exe Cobkhb32.exe File created C:\Windows\SysWOW64\Enabbk32.dll Efccmidp.exe File created C:\Windows\SysWOW64\Iljekoej.dll Ejfeng32.exe File opened for modification C:\Windows\SysWOW64\Jkhgmf32.exe Jdnoplhh.exe File opened for modification C:\Windows\SysWOW64\Kilpmh32.exe Kaehljpj.exe File created C:\Windows\SysWOW64\Ljgpkonp.exe Lieccf32.exe File opened for modification C:\Windows\SysWOW64\Obcceg32.exe Oklkdi32.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Mnokgcbe.dll Onapdl32.exe File created C:\Windows\SysWOW64\Lmjhab32.dll Jnlkedai.exe File opened for modification C:\Windows\SysWOW64\Lncjlq32.exe Lflbkcll.exe File created C:\Windows\SysWOW64\Coiaiakf.exe Cmjemflb.exe File opened for modification C:\Windows\SysWOW64\Pehngkcg.exe Ponfka32.exe File opened for modification C:\Windows\SysWOW64\Ekaapi32.exe Emoadlfo.exe File opened for modification C:\Windows\SysWOW64\Jiglnf32.exe Jghpbk32.exe File created C:\Windows\SysWOW64\Qmfqknfm.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Nbefdijg.exe Nknobkje.exe File created C:\Windows\SysWOW64\Hhfjcdon.dll Ahjgjj32.exe File created C:\Windows\SysWOW64\Loighj32.exe Lljklo32.exe File opened for modification C:\Windows\SysWOW64\Lfbped32.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Pejkmk32.exe Popbpqjh.exe File created C:\Windows\SysWOW64\Hqdkac32.dll Aaohcj32.exe File created C:\Windows\SysWOW64\Jlolpq32.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Lomqcjie.exe Llodgnja.exe File created C:\Windows\SysWOW64\Nbklhm32.dll Jbkbpoog.exe File opened for modification C:\Windows\SysWOW64\Nliaao32.exe Nijeec32.exe File created C:\Windows\SysWOW64\Ocgmoc32.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Bfkegm32.dll Mkohaj32.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qmgelf32.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Ahaceo32.exe File created C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File opened for modification C:\Windows\SysWOW64\Fechomko.exe Fbelcblk.exe File created C:\Windows\SysWOW64\Gpaoobkd.dll Cofecami.exe File created C:\Windows\SysWOW64\Ecgflaec.dll Gfheof32.exe File opened for modification C:\Windows\SysWOW64\Ggahedjn.exe Gphphj32.exe File created C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Kflide32.exe Kgiiiidd.exe File created C:\Windows\SysWOW64\Cfiedd32.dll Klhnfo32.exe File created C:\Windows\SysWOW64\Jdnoplhh.exe Ibobdqid.exe File created C:\Windows\SysWOW64\Nefped32.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Hjpefo32.dll Onpjichj.exe File created C:\Windows\SysWOW64\Hbjoeojc.exe Hplbickp.exe File created C:\Windows\SysWOW64\Cnmqme32.dll Ihbdplfi.exe File created C:\Windows\SysWOW64\Pngfalmm.dll Fdepgkgj.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe File created C:\Windows\SysWOW64\Lcjcnoej.exe Lqkgbcff.exe File opened for modification C:\Windows\SysWOW64\Popbpqjh.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Fadggj32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Phfcipoo.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Bgemej32.dll Nglhld32.exe File created C:\Windows\SysWOW64\Cicdai32.dll Jjdjoane.exe File created C:\Windows\SysWOW64\Ggahedjn.exe Gphphj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 19044 18964 WerFault.exe 1005 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbddfmgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilqoobdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjokgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflohaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piijno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaifpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiimadl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmieae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maodigil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdidgjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmabggdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpfjnba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcigeooj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggahedjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hncmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppqqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfcmhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgeghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdplfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfkdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmlfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcngpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalipoiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhgkmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclkgccf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqncejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgcamf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaopqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqnbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoepmnk.dll" Cmjemflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbgihaji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgeenfog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll" Fmkqpkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbnoiqdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmfimga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnjqmpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomcopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmigoagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eoideh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlmbfqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhpakim.dll" Lmdemd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmcjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fflohaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgllff32.dll" Bcddcbab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbbffdlq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geaepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgddbm32.dll" Aanbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cclnpmna.dll" Kjkpoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgehfkop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll" Mfeeabda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkfcndce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" Lqojclne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gflhoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jljbeali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abponp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bombmcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlpaoaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpkdjofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcgieob.dll" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okgaijaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegiklal.dll" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojomcopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll" Bdojjo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2680 4708 09ba858aabf2f97a0a38caef4a83fe40N.exe 84 PID 4708 wrote to memory of 2680 4708 09ba858aabf2f97a0a38caef4a83fe40N.exe 84 PID 4708 wrote to memory of 2680 4708 09ba858aabf2f97a0a38caef4a83fe40N.exe 84 PID 2680 wrote to memory of 4756 2680 Gahcmd32.exe 85 PID 2680 wrote to memory of 4756 2680 Gahcmd32.exe 85 PID 2680 wrote to memory of 4756 2680 Gahcmd32.exe 85 PID 4756 wrote to memory of 1548 4756 Hhbkinel.exe 86 PID 4756 wrote to memory of 1548 4756 Hhbkinel.exe 86 PID 4756 wrote to memory of 1548 4756 Hhbkinel.exe 86 PID 1548 wrote to memory of 1392 1548 Hkpheidp.exe 87 PID 1548 wrote to memory of 1392 1548 Hkpheidp.exe 87 PID 1548 wrote to memory of 1392 1548 Hkpheidp.exe 87 PID 1392 wrote to memory of 3564 1392 Hjchaf32.exe 88 PID 1392 wrote to memory of 3564 1392 Hjchaf32.exe 88 PID 1392 wrote to memory of 3564 1392 Hjchaf32.exe 88 PID 3564 wrote to memory of 4768 3564 Hpmpnp32.exe 89 PID 3564 wrote to memory of 4768 3564 Hpmpnp32.exe 89 PID 3564 wrote to memory of 4768 3564 Hpmpnp32.exe 89 PID 4768 wrote to memory of 3128 4768 Hhdhon32.exe 90 PID 4768 wrote to memory of 3128 4768 Hhdhon32.exe 90 PID 4768 wrote to memory of 3128 4768 Hhdhon32.exe 90 PID 3128 wrote to memory of 4980 3128 Hkbdki32.exe 91 PID 3128 wrote to memory of 4980 3128 Hkbdki32.exe 91 PID 3128 wrote to memory of 4980 3128 Hkbdki32.exe 91 PID 4980 wrote to memory of 3836 4980 Hnaqgd32.exe 92 PID 4980 wrote to memory of 3836 4980 Hnaqgd32.exe 92 PID 4980 wrote to memory of 3836 4980 Hnaqgd32.exe 92 PID 3836 wrote to memory of 2352 3836 Hpomcp32.exe 93 PID 3836 wrote to memory of 2352 3836 Hpomcp32.exe 93 PID 3836 wrote to memory of 2352 3836 Hpomcp32.exe 93 PID 2352 wrote to memory of 2716 2352 Hgiepjga.exe 94 PID 2352 wrote to memory of 2716 2352 Hgiepjga.exe 94 PID 2352 wrote to memory of 2716 2352 Hgiepjga.exe 94 PID 2716 wrote to memory of 4596 2716 Hkeaqi32.exe 95 PID 2716 wrote to memory of 4596 2716 Hkeaqi32.exe 95 PID 2716 wrote to memory of 4596 2716 Hkeaqi32.exe 95 PID 4596 wrote to memory of 2356 4596 Hncmmd32.exe 97 PID 4596 wrote to memory of 2356 4596 Hncmmd32.exe 97 PID 4596 wrote to memory of 2356 4596 Hncmmd32.exe 97 PID 2356 wrote to memory of 3316 2356 Hpbiip32.exe 98 PID 2356 wrote to memory of 3316 2356 Hpbiip32.exe 98 PID 2356 wrote to memory of 3316 2356 Hpbiip32.exe 98 PID 3316 wrote to memory of 4748 3316 Hhiajmod.exe 99 PID 3316 wrote to memory of 4748 3316 Hhiajmod.exe 99 PID 3316 wrote to memory of 4748 3316 Hhiajmod.exe 99 PID 4748 wrote to memory of 1792 4748 Hjjnae32.exe 100 PID 4748 wrote to memory of 1792 4748 Hjjnae32.exe 100 PID 4748 wrote to memory of 1792 4748 Hjjnae32.exe 100 PID 1792 wrote to memory of 1656 1792 Haafcb32.exe 102 PID 1792 wrote to memory of 1656 1792 Haafcb32.exe 102 PID 1792 wrote to memory of 1656 1792 Haafcb32.exe 102 PID 1656 wrote to memory of 2320 1656 Hhknpmma.exe 103 PID 1656 wrote to memory of 2320 1656 Hhknpmma.exe 103 PID 1656 wrote to memory of 2320 1656 Hhknpmma.exe 103 PID 2320 wrote to memory of 3148 2320 Hkjjlhle.exe 104 PID 2320 wrote to memory of 3148 2320 Hkjjlhle.exe 104 PID 2320 wrote to memory of 3148 2320 Hkjjlhle.exe 104 PID 3148 wrote to memory of 3184 3148 Hnhghcki.exe 106 PID 3148 wrote to memory of 3184 3148 Hnhghcki.exe 106 PID 3148 wrote to memory of 3184 3148 Hnhghcki.exe 106 PID 3184 wrote to memory of 3976 3184 Idbodn32.exe 107 PID 3184 wrote to memory of 3976 3184 Idbodn32.exe 107 PID 3184 wrote to memory of 3976 3184 Idbodn32.exe 107 PID 3976 wrote to memory of 4512 3976 Ijogmdqm.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ba858aabf2f97a0a38caef4a83fe40N.exe"C:\Users\Admin\AppData\Local\Temp\09ba858aabf2f97a0a38caef4a83fe40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Haafcb32.exeC:\Windows\system32\Haafcb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe23⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe24⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe25⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe26⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe27⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe28⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe30⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe31⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe33⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe37⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3112 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe41⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe42⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe44⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe45⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe47⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe48⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Jklphekp.exeC:\Windows\system32\Jklphekp.exe49⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe50⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe51⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe52⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe54⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe55⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe56⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe57⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Kiejmi32.exeC:\Windows\system32\Kiejmi32.exe61⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Kjffdalb.exeC:\Windows\system32\Kjffdalb.exe62⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe63⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe64⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe65⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe66⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe67⤵PID:3980
-
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe68⤵PID:1196
-
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe69⤵PID:1356
-
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe70⤵
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe72⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe73⤵PID:1296
-
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe74⤵PID:3188
-
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe75⤵
- System Location Discovery: System Language Discovery
PID:216 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe77⤵PID:2600
-
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe78⤵PID:3200
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe79⤵PID:2092
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe80⤵PID:2088
-
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe81⤵PID:2468
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe82⤵
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe83⤵PID:4040
-
C:\Windows\SysWOW64\Legjmh32.exeC:\Windows\system32\Legjmh32.exe84⤵PID:2700
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe85⤵PID:4000
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe86⤵
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe87⤵PID:3944
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe88⤵
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe89⤵PID:3540
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe90⤵PID:1640
-
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe91⤵PID:2900
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe92⤵PID:2588
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe94⤵PID:5176
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe95⤵PID:5220
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe96⤵PID:5256
-
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe97⤵PID:5308
-
C:\Windows\SysWOW64\Ljkifn32.exeC:\Windows\system32\Ljkifn32.exe98⤵PID:5352
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5444 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe102⤵PID:5532
-
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe103⤵PID:5576
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe104⤵PID:5620
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe105⤵
- Modifies registry class
PID:5692 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe106⤵PID:5744
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe107⤵PID:5800
-
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe108⤵PID:5840
-
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe109⤵PID:5884
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe110⤵PID:5932
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe112⤵PID:6020
-
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe113⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe114⤵PID:6104
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe115⤵PID:2896
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe116⤵PID:5192
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe117⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe118⤵PID:5324
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe119⤵PID:5392
-
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe120⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe121⤵PID:5540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-