Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 11:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7f3013453e090eba0f36883baa071090N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7f3013453e090eba0f36883baa071090N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7f3013453e090eba0f36883baa071090N.exe
-
Size
64KB
-
MD5
7f3013453e090eba0f36883baa071090
-
SHA1
a93a16d96041c09f36edd01dea74376a27bf2722
-
SHA256
06982d0c766723502049cf362619bb19e1c54389bdc91e834dcf8c56358a9c2f
-
SHA512
0c959677f438fa8443ea72b83bc2b541f31ed21dcafbfabe7d5797f3ee34c9c2d0f7acc317846ecb8cb2aaedfe048e206bdc51fa863018396b4089b236e9305a
-
SSDEEP
1536:NyxwYEeF0eiTidZXu5HxvLYktBtCVXUwXfzwv:YEeF0eiGg5HxvLYkdCxPzwv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiijmkai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkcmal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpbmboeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcickp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncecfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolfkade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 7f3013453e090eba0f36883baa071090N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqdqlgkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djnfck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jloipj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fainaihj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcjco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memjoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipijljj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjkmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkijjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekknkmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlmmegpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjnoaih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlimk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpmdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbeefqoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdoonmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqiljch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcelh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fldnbjko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kieacp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikgck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blqiljch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odcohlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpoqfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qckfgcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpmfgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llqhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmdnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdbni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiffdmbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflcam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modgqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmelngqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgnfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaoil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpkehlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfhneoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjklk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paomlela.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnebap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnabaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdmcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meqmphjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peobhcpe.exe -
Executes dropped EXE 64 IoCs
pid Process 4696 Lbjlbj32.exe 1968 Liddodbc.exe 2264 Mpnllo32.exe 4292 Mclhhj32.exe 4608 Mekdde32.exe 1676 Mmbmec32.exe 3868 Mdlebm32.exe 664 Mgjanh32.exe 4980 Mlgjfo32.exe 2312 Mcabcido.exe 3948 Mikjpc32.exe 2532 Mpebmnch.exe 3192 Mebked32.exe 1472 Mllcaoil.exe 768 Mcfkni32.exe 3372 Mipckchf.exe 3416 Npjlhm32.exe 1536 Ngdddg32.exe 3440 Nnnlaanl.exe 1480 Nplhmmmp.exe 1688 Ncjdihld.exe 2060 Njdmfb32.exe 4344 Nlcibn32.exe 3096 Ncmaohja.exe 2984 Njgjlban.exe 1144 Npabhl32.exe 228 Ngkjefqh.exe 4244 Nnebap32.exe 3500 Npconl32.exe 1556 Ndoknjpa.exe 3704 Nfpgfb32.exe 2388 Oljocm32.exe 2924 Ogpcpe32.exe 1920 Onilmpdo.exe 2928 Ophhikcc.exe 1944 Ogbpfe32.exe 4616 Onlhbobl.exe 788 Odfqoiii.exe 2284 Ogdmkdhm.exe 2068 Ojbigpgq.exe 4356 Oqmadj32.exe 5000 Odhmdigf.exe 4440 Ofijla32.exe 4804 Oqonjjmk.exe 1228 Ocmjfelo.exe 4776 Pflfbqkb.exe 1540 Pjgbbp32.exe 5116 Pcpgkejl.exe 5052 Pjjoho32.exe 2220 Pqcgeiie.exe 3360 Pcbdad32.exe 3604 Pjllnopf.exe 1368 Pcdqfd32.exe 4400 Pnjecm32.exe 4604 Pddmqgmi.exe 3608 Pfeihpcg.exe 3052 Pnlaimcj.exe 3740 Pdfjfg32.exe 2076 Qfgfnoae.exe 712 Qqmjkhqk.exe 3024 Qckfgcpo.exe 952 Qjeodmgk.exe 4752 Qmckpifo.exe 1140 Acncmc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jjnqoo32.exe Icdhbe32.exe File opened for modification C:\Windows\SysWOW64\Cdbnge32.exe Cnhejkob.exe File created C:\Windows\SysWOW64\Imdljhfl.exe Ibohloff.exe File created C:\Windows\SysWOW64\Oqmadj32.exe Ojbigpgq.exe File created C:\Windows\SysWOW64\Kkcfpegp.dll Pqcgeiie.exe File created C:\Windows\SysWOW64\Hbadcl32.exe Hkglfbpn.exe File created C:\Windows\SysWOW64\Ambidh32.dll Dcfjlq32.exe File opened for modification C:\Windows\SysWOW64\Glpdho32.exe Gkohqfoo.exe File created C:\Windows\SysWOW64\Cdbnjpfg.dll Nfeenc32.exe File created C:\Windows\SysWOW64\Glcaao32.dll Nielge32.exe File created C:\Windows\SysWOW64\Bepeccei.exe Bmimbfdg.exe File created C:\Windows\SysWOW64\Bfabkk32.exe Bepeccei.exe File opened for modification C:\Windows\SysWOW64\Gkpeec32.exe Ghbiiggb.exe File created C:\Windows\SysWOW64\Inejoe32.exe Igkabkff.exe File opened for modification C:\Windows\SysWOW64\Jbjiebnb.exe Jkpqih32.exe File created C:\Windows\SysWOW64\Iaeqmp32.dll Daebibnm.exe File created C:\Windows\SysWOW64\Lbfahneb.exe Lllikdne.exe File created C:\Windows\SysWOW64\Gonhemgh.dll Oalpgfnd.exe File opened for modification C:\Windows\SysWOW64\Bococe32.exe Bhiggkfi.exe File created C:\Windows\SysWOW64\Ighnbd32.exe Idjbfi32.exe File opened for modification C:\Windows\SysWOW64\Odfqoiii.exe Onlhbobl.exe File created C:\Windows\SysWOW64\Dijhmpoa.dll Oqmadj32.exe File opened for modification C:\Windows\SysWOW64\Ancgjl32.exe Agiomafe.exe File opened for modification C:\Windows\SysWOW64\Kldmpl32.exe Kieacp32.exe File created C:\Windows\SysWOW64\Leonna32.exe Lflnbdgo.exe File opened for modification C:\Windows\SysWOW64\Mjjbhi32.exe Mcqjkopj.exe File created C:\Windows\SysWOW64\Pkgaoqjc.dll Lkieknll.exe File opened for modification C:\Windows\SysWOW64\Ndoknjpa.exe Npconl32.exe File opened for modification C:\Windows\SysWOW64\Anmjpj32.exe Afebom32.exe File created C:\Windows\SysWOW64\Iclhbibk.dll Ncljdage.exe File opened for modification C:\Windows\SysWOW64\Kipqnj32.exe Kqihmm32.exe File created C:\Windows\SysWOW64\Lkbokobd.exe Lckgiaaa.exe File created C:\Windows\SysWOW64\Jnjnhpeh.dll Ceglcb32.exe File opened for modification C:\Windows\SysWOW64\Lnabaq32.exe Kkcfee32.exe File created C:\Windows\SysWOW64\Iblkgphi.exe Ioqofa32.exe File opened for modification C:\Windows\SysWOW64\Ebbmmlqd.exe Epdaaq32.exe File created C:\Windows\SysWOW64\Lfimkgmj.exe Lpldcpob.exe File created C:\Windows\SysWOW64\Lleamqbd.exe Lfkiqfkg.exe File created C:\Windows\SysWOW64\Jllqid32.dll Mcfkni32.exe File created C:\Windows\SysWOW64\Emflpkfi.exe Efmccaol.exe File created C:\Windows\SysWOW64\Ganpcffb.exe Gjghaiep.exe File created C:\Windows\SysWOW64\Meqmphjh.exe Mnfecn32.exe File created C:\Windows\SysWOW64\Plgnon32.exe Phkbooal.exe File opened for modification C:\Windows\SysWOW64\Hbcqhleh.exe Hoedlp32.exe File opened for modification C:\Windows\SysWOW64\Aohfbm32.exe Aionecdb.exe File created C:\Windows\SysWOW64\Kkpbeodf.exe Kdfjhe32.exe File opened for modification C:\Windows\SysWOW64\Nedpqa32.exe Naicpbjn.exe File created C:\Windows\SysWOW64\Kaiden32.dll Pppocfke.exe File created C:\Windows\SysWOW64\Eimalcpi.dll Cfcopkie.exe File opened for modification C:\Windows\SysWOW64\Hfaioj32.exe Hkleaa32.exe File created C:\Windows\SysWOW64\Aofjmmna.exe Ahlapc32.exe File created C:\Windows\SysWOW64\Lkecke32.exe Lekknkmp.exe File opened for modification C:\Windows\SysWOW64\Oagpapnn.exe Ojmgdf32.exe File opened for modification C:\Windows\SysWOW64\Hfdfdjjl.exe Hknaga32.exe File opened for modification C:\Windows\SysWOW64\Inhfdd32.exe Ignngjdd.exe File created C:\Windows\SysWOW64\Dobnif32.dll Oognjkdi.exe File created C:\Windows\SysWOW64\Aichlg32.dll Fmadachp.exe File created C:\Windows\SysWOW64\Obacfj32.dll Jcmkhc32.exe File created C:\Windows\SysWOW64\Dikbqo32.dll Mclhhj32.exe File opened for modification C:\Windows\SysWOW64\Nnebap32.exe Ngkjefqh.exe File opened for modification C:\Windows\SysWOW64\Efdpmenl.exe Dojgql32.exe File created C:\Windows\SysWOW64\Omqjfa32.dll Ghbiiggb.exe File created C:\Windows\SysWOW64\Endlab32.dll Lihnip32.exe File opened for modification C:\Windows\SysWOW64\Iqompaql.exe Ijedcg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7304 7124 WerFault.exe 1063 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiggkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emchpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigdbbgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckafienb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfphjbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbmli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipckchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpcbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgcfiil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljaodkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ganpcffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamnekbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnokkjij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qolplhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blbogdmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddmqgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpipiknl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hknklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omkmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghhhope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhppfjmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjlnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlofac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfihfggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkieknll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihgblle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eipijljj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckoice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liddodbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqaieq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebhhldk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjbhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnlaanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijedcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iifccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbdccjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmaohja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljocm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdijnhmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdoannd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popqpjmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daebibnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgijif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hknaga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmobghlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgacdkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgceneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbhkficf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmjpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmccaol.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mipckchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fopbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceieilc.dll" Kojkcmjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfelgecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 7f3013453e090eba0f36883baa071090N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpdbkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkehkqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielcnggi.dll" Elaopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckgiaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdllh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlmfddc.dll" Oadlajle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghmidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lglcpfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooijpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcpqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpoqfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbdbfgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpbhq32.dll" Gdjpibgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgkaeg32.dll" Hpcfilgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Headmlpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpeec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mojhccdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caiecc32.dll" Olbkoeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innmco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddbfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpoid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghiojfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fapdahbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pichhcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaoeedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didqhf32.dll" Icdhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjikbmk.dll" Medfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdfedioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgelfc.dll" Fejeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikbqo32.dll" Mclhhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhmdigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganpcffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbdaln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ophhikcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alejqlme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aklcghpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhnflel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehbfnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgacdkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acelhi32.dll" Kljjim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbgaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knholo32.dll" Ejjlipeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebjbo32.dll" Hcflqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfdijcg.dll" Jlepai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgkdnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcpqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioeiaplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeqmp32.dll" Daebibnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goljee32.dll" Dikgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmccaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginekjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pemebdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokhgp32.dll" Ckjinppo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 180 wrote to memory of 4696 180 7f3013453e090eba0f36883baa071090N.exe 90 PID 180 wrote to memory of 4696 180 7f3013453e090eba0f36883baa071090N.exe 90 PID 180 wrote to memory of 4696 180 7f3013453e090eba0f36883baa071090N.exe 90 PID 4696 wrote to memory of 1968 4696 Lbjlbj32.exe 91 PID 4696 wrote to memory of 1968 4696 Lbjlbj32.exe 91 PID 4696 wrote to memory of 1968 4696 Lbjlbj32.exe 91 PID 1968 wrote to memory of 2264 1968 Liddodbc.exe 92 PID 1968 wrote to memory of 2264 1968 Liddodbc.exe 92 PID 1968 wrote to memory of 2264 1968 Liddodbc.exe 92 PID 2264 wrote to memory of 4292 2264 Mpnllo32.exe 93 PID 2264 wrote to memory of 4292 2264 Mpnllo32.exe 93 PID 2264 wrote to memory of 4292 2264 Mpnllo32.exe 93 PID 4292 wrote to memory of 4608 4292 Mclhhj32.exe 94 PID 4292 wrote to memory of 4608 4292 Mclhhj32.exe 94 PID 4292 wrote to memory of 4608 4292 Mclhhj32.exe 94 PID 4608 wrote to memory of 1676 4608 Mekdde32.exe 96 PID 4608 wrote to memory of 1676 4608 Mekdde32.exe 96 PID 4608 wrote to memory of 1676 4608 Mekdde32.exe 96 PID 1676 wrote to memory of 3868 1676 Mmbmec32.exe 97 PID 1676 wrote to memory of 3868 1676 Mmbmec32.exe 97 PID 1676 wrote to memory of 3868 1676 Mmbmec32.exe 97 PID 3868 wrote to memory of 664 3868 Mdlebm32.exe 98 PID 3868 wrote to memory of 664 3868 Mdlebm32.exe 98 PID 3868 wrote to memory of 664 3868 Mdlebm32.exe 98 PID 664 wrote to memory of 4980 664 Mgjanh32.exe 100 PID 664 wrote to memory of 4980 664 Mgjanh32.exe 100 PID 664 wrote to memory of 4980 664 Mgjanh32.exe 100 PID 4980 wrote to memory of 2312 4980 Mlgjfo32.exe 101 PID 4980 wrote to memory of 2312 4980 Mlgjfo32.exe 101 PID 4980 wrote to memory of 2312 4980 Mlgjfo32.exe 101 PID 2312 wrote to memory of 3948 2312 Mcabcido.exe 102 PID 2312 wrote to memory of 3948 2312 Mcabcido.exe 102 PID 2312 wrote to memory of 3948 2312 Mcabcido.exe 102 PID 3948 wrote to memory of 2532 3948 Mikjpc32.exe 103 PID 3948 wrote to memory of 2532 3948 Mikjpc32.exe 103 PID 3948 wrote to memory of 2532 3948 Mikjpc32.exe 103 PID 2532 wrote to memory of 3192 2532 Mpebmnch.exe 104 PID 2532 wrote to memory of 3192 2532 Mpebmnch.exe 104 PID 2532 wrote to memory of 3192 2532 Mpebmnch.exe 104 PID 3192 wrote to memory of 1472 3192 Mebked32.exe 106 PID 3192 wrote to memory of 1472 3192 Mebked32.exe 106 PID 3192 wrote to memory of 1472 3192 Mebked32.exe 106 PID 1472 wrote to memory of 768 1472 Mllcaoil.exe 107 PID 1472 wrote to memory of 768 1472 Mllcaoil.exe 107 PID 1472 wrote to memory of 768 1472 Mllcaoil.exe 107 PID 768 wrote to memory of 3372 768 Mcfkni32.exe 108 PID 768 wrote to memory of 3372 768 Mcfkni32.exe 108 PID 768 wrote to memory of 3372 768 Mcfkni32.exe 108 PID 3372 wrote to memory of 3416 3372 Mipckchf.exe 109 PID 3372 wrote to memory of 3416 3372 Mipckchf.exe 109 PID 3372 wrote to memory of 3416 3372 Mipckchf.exe 109 PID 3416 wrote to memory of 1536 3416 Npjlhm32.exe 110 PID 3416 wrote to memory of 1536 3416 Npjlhm32.exe 110 PID 3416 wrote to memory of 1536 3416 Npjlhm32.exe 110 PID 1536 wrote to memory of 3440 1536 Ngdddg32.exe 111 PID 1536 wrote to memory of 3440 1536 Ngdddg32.exe 111 PID 1536 wrote to memory of 3440 1536 Ngdddg32.exe 111 PID 3440 wrote to memory of 1480 3440 Nnnlaanl.exe 112 PID 3440 wrote to memory of 1480 3440 Nnnlaanl.exe 112 PID 3440 wrote to memory of 1480 3440 Nnnlaanl.exe 112 PID 1480 wrote to memory of 1688 1480 Nplhmmmp.exe 113 PID 1480 wrote to memory of 1688 1480 Nplhmmmp.exe 113 PID 1480 wrote to memory of 1688 1480 Nplhmmmp.exe 113 PID 1688 wrote to memory of 2060 1688 Ncjdihld.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3013453e090eba0f36883baa071090N.exe"C:\Users\Admin\AppData\Local\Temp\7f3013453e090eba0f36883baa071090N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Mpnllo32.exeC:\Windows\system32\Mpnllo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Mclhhj32.exeC:\Windows\system32\Mclhhj32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Mmbmec32.exeC:\Windows\system32\Mmbmec32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Mdlebm32.exeC:\Windows\system32\Mdlebm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Mgjanh32.exeC:\Windows\system32\Mgjanh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Mcabcido.exeC:\Windows\system32\Mcabcido.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Mpebmnch.exeC:\Windows\system32\Mpebmnch.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Mebked32.exeC:\Windows\system32\Mebked32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Mllcaoil.exeC:\Windows\system32\Mllcaoil.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Mcfkni32.exeC:\Windows\system32\Mcfkni32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Mipckchf.exeC:\Windows\system32\Mipckchf.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Npjlhm32.exeC:\Windows\system32\Npjlhm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Nnnlaanl.exeC:\Windows\system32\Nnnlaanl.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ncjdihld.exeC:\Windows\system32\Ncjdihld.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Njdmfb32.exeC:\Windows\system32\Njdmfb32.exe23⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nlcibn32.exeC:\Windows\system32\Nlcibn32.exe24⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Ncmaohja.exeC:\Windows\system32\Ncmaohja.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\Njgjlban.exeC:\Windows\system32\Njgjlban.exe26⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Npabhl32.exeC:\Windows\system32\Npabhl32.exe27⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Ngkjefqh.exeC:\Windows\system32\Ngkjefqh.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:228 -
C:\Windows\SysWOW64\Nnebap32.exeC:\Windows\system32\Nnebap32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Npconl32.exeC:\Windows\system32\Npconl32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Ndoknjpa.exeC:\Windows\system32\Ndoknjpa.exe31⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe32⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Ogpcpe32.exeC:\Windows\system32\Ogpcpe32.exe34⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Onilmpdo.exeC:\Windows\system32\Onilmpdo.exe35⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ophhikcc.exeC:\Windows\system32\Ophhikcc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ogbpfe32.exeC:\Windows\system32\Ogbpfe32.exe37⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Onlhbobl.exeC:\Windows\system32\Onlhbobl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Odfqoiii.exeC:\Windows\system32\Odfqoiii.exe39⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe40⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ojbigpgq.exeC:\Windows\system32\Ojbigpgq.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Oqmadj32.exeC:\Windows\system32\Oqmadj32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4356 -
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Ofijla32.exeC:\Windows\system32\Ofijla32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\Oqonjjmk.exeC:\Windows\system32\Oqonjjmk.exe45⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Ocmjfelo.exeC:\Windows\system32\Ocmjfelo.exe46⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Pflfbqkb.exeC:\Windows\system32\Pflfbqkb.exe47⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Pjgbbp32.exeC:\Windows\system32\Pjgbbp32.exe48⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Pcpgkejl.exeC:\Windows\system32\Pcpgkejl.exe49⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Pjjoho32.exeC:\Windows\system32\Pjjoho32.exe50⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Pqcgeiie.exeC:\Windows\system32\Pqcgeiie.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Pcbdad32.exeC:\Windows\system32\Pcbdad32.exe52⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Pjllnopf.exeC:\Windows\system32\Pjllnopf.exe53⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Pcdqfd32.exeC:\Windows\system32\Pcdqfd32.exe54⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Pfbmbp32.exeC:\Windows\system32\Pfbmbp32.exe55⤵PID:4884
-
C:\Windows\SysWOW64\Pnjecm32.exeC:\Windows\system32\Pnjecm32.exe56⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Pddmqgmi.exeC:\Windows\system32\Pddmqgmi.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\SysWOW64\Pfeihpcg.exeC:\Windows\system32\Pfeihpcg.exe58⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Pnlaimcj.exeC:\Windows\system32\Pnlaimcj.exe59⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Pdfjfg32.exeC:\Windows\system32\Pdfjfg32.exe60⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Qfgfnoae.exeC:\Windows\system32\Qfgfnoae.exe61⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Qqmjkhqk.exeC:\Windows\system32\Qqmjkhqk.exe62⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Qckfgcpo.exeC:\Windows\system32\Qckfgcpo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Qjeodmgk.exeC:\Windows\system32\Qjeodmgk.exe64⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Qmckpifo.exeC:\Windows\system32\Qmckpifo.exe65⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Acncmc32.exeC:\Windows\system32\Acncmc32.exe66⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Agiomafe.exeC:\Windows\system32\Agiomafe.exe67⤵
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Ancgjl32.exeC:\Windows\system32\Ancgjl32.exe68⤵PID:3160
-
C:\Windows\SysWOW64\Aempffeo.exeC:\Windows\system32\Aempffeo.exe69⤵PID:4016
-
C:\Windows\SysWOW64\Agllcadb.exeC:\Windows\system32\Agllcadb.exe70⤵PID:3484
-
C:\Windows\SysWOW64\Afnlnn32.exeC:\Windows\system32\Afnlnn32.exe71⤵PID:3064
-
C:\Windows\SysWOW64\Ajjhom32.exeC:\Windows\system32\Ajjhom32.exe72⤵PID:5144
-
C:\Windows\SysWOW64\Aqdqlgkc.exeC:\Windows\system32\Aqdqlgkc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Agniha32.exeC:\Windows\system32\Agniha32.exe74⤵PID:5232
-
C:\Windows\SysWOW64\Anhaekil.exeC:\Windows\system32\Anhaekil.exe75⤵PID:5272
-
C:\Windows\SysWOW64\Aqfmafip.exeC:\Windows\system32\Aqfmafip.exe76⤵PID:5312
-
C:\Windows\SysWOW64\Aebiae32.exeC:\Windows\system32\Aebiae32.exe77⤵PID:5348
-
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe78⤵PID:5396
-
C:\Windows\SysWOW64\Ammnfgnd.exeC:\Windows\system32\Ammnfgnd.exe79⤵PID:5444
-
C:\Windows\SysWOW64\Afebom32.exeC:\Windows\system32\Afebom32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe81⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Windows\SysWOW64\Aefbmdmd.exeC:\Windows\system32\Aefbmdmd.exe82⤵PID:5568
-
C:\Windows\SysWOW64\Bnogfj32.exeC:\Windows\system32\Bnogfj32.exe83⤵PID:5612
-
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe84⤵PID:5648
-
C:\Windows\SysWOW64\Bcnlcqpi.exeC:\Windows\system32\Bcnlcqpi.exe85⤵PID:5700
-
C:\Windows\SysWOW64\Bmfqlf32.exeC:\Windows\system32\Bmfqlf32.exe86⤵PID:5744
-
C:\Windows\SysWOW64\Bfoeel32.exeC:\Windows\system32\Bfoeel32.exe87⤵PID:5788
-
C:\Windows\SysWOW64\Bmimbfdg.exeC:\Windows\system32\Bmimbfdg.exe88⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Bepeccei.exeC:\Windows\system32\Bepeccei.exe89⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Bfabkk32.exeC:\Windows\system32\Bfabkk32.exe90⤵PID:5920
-
C:\Windows\SysWOW64\Bnhjli32.exeC:\Windows\system32\Bnhjli32.exe91⤵PID:5964
-
C:\Windows\SysWOW64\Cfcopkie.exeC:\Windows\system32\Cfcopkie.exe92⤵
- Drops file in System32 directory
PID:6008 -
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe93⤵PID:6052
-
C:\Windows\SysWOW64\Chckjn32.exeC:\Windows\system32\Chckjn32.exe94⤵PID:6100
-
C:\Windows\SysWOW64\Cmpcbe32.exeC:\Windows\system32\Cmpcbe32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Cakpccfh.exeC:\Windows\system32\Cakpccfh.exe96⤵PID:5176
-
C:\Windows\SysWOW64\Ceglcb32.exeC:\Windows\system32\Ceglcb32.exe97⤵
- Drops file in System32 directory
PID:5280 -
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe98⤵PID:5404
-
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe99⤵PID:5480
-
C:\Windows\SysWOW64\Cjfqaikf.exeC:\Windows\system32\Cjfqaikf.exe100⤵PID:5536
-
C:\Windows\SysWOW64\Cndihgal.exeC:\Windows\system32\Cndihgal.exe101⤵PID:5608
-
C:\Windows\SysWOW64\Dfonliog.exeC:\Windows\system32\Dfonliog.exe102⤵PID:5672
-
C:\Windows\SysWOW64\Daebibnm.exeC:\Windows\system32\Daebibnm.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Dfakaile.exeC:\Windows\system32\Dfakaile.exe104⤵PID:5808
-
C:\Windows\SysWOW64\Debkpqdd.exeC:\Windows\system32\Debkpqdd.exe105⤵PID:5872
-
C:\Windows\SysWOW64\Dhagllch.exeC:\Windows\system32\Dhagllch.exe106⤵PID:5940
-
C:\Windows\SysWOW64\Dhcdalae.exeC:\Windows\system32\Dhcdalae.exe107⤵PID:5988
-
C:\Windows\SysWOW64\Dmpmib32.exeC:\Windows\system32\Dmpmib32.exe108⤵PID:6060
-
C:\Windows\SysWOW64\Dkdmcg32.exeC:\Windows\system32\Dkdmcg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4820 -
C:\Windows\SysWOW64\Ehhmlk32.exeC:\Windows\system32\Ehhmlk32.exe110⤵PID:5308
-
C:\Windows\SysWOW64\Edonal32.exeC:\Windows\system32\Edonal32.exe111⤵PID:5432
-
C:\Windows\SysWOW64\Eacokp32.exeC:\Windows\system32\Eacokp32.exe112⤵PID:5532
-
C:\Windows\SysWOW64\Emjopaha.exeC:\Windows\system32\Emjopaha.exe113⤵PID:5632
-
C:\Windows\SysWOW64\Eaghfpnh.exeC:\Windows\system32\Eaghfpnh.exe114⤵PID:5752
-
C:\Windows\SysWOW64\Ekpmoe32.exeC:\Windows\system32\Ekpmoe32.exe115⤵PID:2108
-
C:\Windows\SysWOW64\Fdknmj32.exeC:\Windows\system32\Fdknmj32.exe116⤵PID:5024
-
C:\Windows\SysWOW64\Fgijif32.exeC:\Windows\system32\Fgijif32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Fopbjc32.exeC:\Windows\system32\Fopbjc32.exe118⤵
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Fkgbod32.exeC:\Windows\system32\Fkgbod32.exe119⤵PID:6136
-
C:\Windows\SysWOW64\Fnhlao32.exeC:\Windows\system32\Fnhlao32.exe120⤵PID:5328
-
C:\Windows\SysWOW64\Facgandk.exeC:\Windows\system32\Facgandk.exe121⤵PID:5540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-