Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 03:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c8fe9f9c2f136840c48a0dff7244f00N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4c8fe9f9c2f136840c48a0dff7244f00N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4c8fe9f9c2f136840c48a0dff7244f00N.exe
-
Size
80KB
-
MD5
4c8fe9f9c2f136840c48a0dff7244f00
-
SHA1
8c846e435e325c27e8caf49a6c133888911c67d6
-
SHA256
89eb81cff775e7256381bd122fb2e563732a97da21272fc6acc1e5650ebbc03b
-
SHA512
aeab510499181ac9ebd45b8d297fab9fc71b98fe2784381b8d373442c28bcea4ab2daa85de865352281b446d8a16d31278c2586820593393eeea017f3daca60d
-
SSDEEP
1536:8NE3K4sHL9ynPlPQAOtEOrz62Ltxwfi+TjRC/6i:8NE6L9yn9PQAOyOHH3wf1TjYL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljclki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkqhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknbkjfh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqhcpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidabppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplfkeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoobdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikejgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgnbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfgek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekddhcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfekc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olicnfco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpeohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidabppl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpggamqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gingkqkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikmbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcanll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgpogili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkobmnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgninn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amodep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidgai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldjcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonhghjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqkill32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhghcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbinam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekiqccc.exe -
Executes dropped EXE 64 IoCs
pid Process 4024 Npedmdab.exe 4812 Nbcqiope.exe 4860 Ngomin32.exe 3436 Niniei32.exe 3136 Nlleaeff.exe 4060 Ncfmno32.exe 216 Nipekiep.exe 4616 Nlnbgddc.exe 3972 Nchjdo32.exe 3564 Nibbqicm.exe 3260 Nlqomd32.exe 4268 Ncjginjn.exe 560 Oeicejia.exe 3932 Olckbd32.exe 764 Ooagno32.exe 2172 Oekpkigo.exe 3812 Ohjlgefb.exe 4888 Opadhb32.exe 1284 Ogklelna.exe 3596 Oiihahme.exe 1180 Oiihahme.exe 3460 Olgemcli.exe 1688 Ocamjm32.exe 5024 Ogmijllo.exe 4988 Ohnebd32.exe 4048 Oohnonij.exe 2264 Oebflhaf.exe 4892 Ollnhb32.exe 4740 Ookjdn32.exe 1016 Pgbbek32.exe 4552 Ploknb32.exe 1532 Pomgjn32.exe 4560 Pcicklnn.exe 1944 Pfgogh32.exe 672 Plagcbdn.exe 3336 Poodpmca.exe 1156 Pgflqkdd.exe 3960 Pfillg32.exe 1456 Phhhhc32.exe 5004 Plcdiabk.exe 2408 Poaqemao.exe 3296 Pgihfj32.exe 4556 Pflibgil.exe 632 Phjenbhp.exe 316 Ppamophb.exe 3308 Podmkm32.exe 3768 Pgkelj32.exe 4952 Pfnegggi.exe 4112 Phlacbfm.exe 3988 Qgnbaj32.exe 2176 Qhonib32.exe 856 Qoifflkg.exe 2348 Qgpogili.exe 2092 Qfbobf32.exe 772 Qhakoa32.exe 1104 Qqhcpo32.exe 1096 Acgolj32.exe 4208 Ajqgidij.exe 3128 Amodep32.exe 3176 Acilajpk.exe 4232 Afghneoo.exe 3484 Ahfdjanb.exe 4940 Aqmlknnd.exe 112 Ackigjmh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hjhalefe.exe Hdkidohn.exe File opened for modification C:\Windows\SysWOW64\Hcmbee32.exe Hpofii32.exe File created C:\Windows\SysWOW64\Nmhbnnof.dll Ajqgidij.exe File created C:\Windows\SysWOW64\Ilmmni32.exe Injmcmej.exe File created C:\Windows\SysWOW64\Flkdfh32.exe Fimhjl32.exe File created C:\Windows\SysWOW64\Omqmop32.exe Ojbacd32.exe File created C:\Windows\SysWOW64\Ipbehfom.dll Lnjgfb32.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lcimdh32.exe File opened for modification C:\Windows\SysWOW64\Poaqemao.exe Plcdiabk.exe File created C:\Windows\SysWOW64\Hkpheidp.exe Hgelek32.exe File created C:\Windows\SysWOW64\Gbobfjdp.dll Pefhlaie.exe File created C:\Windows\SysWOW64\Eiieicml.exe Ejfeng32.exe File created C:\Windows\SysWOW64\Lklbdm32.exe Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Aekddhcb.exe Anclbkbp.exe File created C:\Windows\SysWOW64\Dbpjaeoc.exe Doaneiop.exe File opened for modification C:\Windows\SysWOW64\Monjjgkb.exe Mmpmnl32.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Ppjbmc32.exe File created C:\Windows\SysWOW64\Hiacfqch.dll Jlkipgpe.exe File created C:\Windows\SysWOW64\Ohkkhhmh.exe Oaqbkn32.exe File created C:\Windows\SysWOW64\Hopnfa32.dll Pdkoch32.exe File created C:\Windows\SysWOW64\Obgbikfp.dll Bedgjgkg.exe File created C:\Windows\SysWOW64\Ebhglj32.exe Epikpo32.exe File created C:\Windows\SysWOW64\Backpf32.dll Hbhijepa.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Omgmeigd.exe File opened for modification C:\Windows\SysWOW64\Bpdnjple.exe Bmeandma.exe File created C:\Windows\SysWOW64\Mlkepaam.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Fiebmc32.dll Mjpbam32.exe File created C:\Windows\SysWOW64\Achegd32.exe Ahcajk32.exe File created C:\Windows\SysWOW64\Oeehkn32.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Bkobmnka.exe Bhpfqcln.exe File created C:\Windows\SysWOW64\Pmphblgf.dll Dkceokii.exe File created C:\Windows\SysWOW64\Ibfnqmpf.exe Ipgbdbqb.exe File created C:\Windows\SysWOW64\Aoofle32.exe Alqjpi32.exe File created C:\Windows\SysWOW64\Dmcnoekk.dll Ilcldb32.exe File created C:\Windows\SysWOW64\Ahmjjoig.exe Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Cammjakm.exe Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Fpjjac32.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Kjhloj32.exe Kgipcogp.exe File created C:\Windows\SysWOW64\Ejahqlpp.dll Acpbbi32.exe File created C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File created C:\Windows\SysWOW64\Cglblmfn.dll Aogiap32.exe File opened for modification C:\Windows\SysWOW64\Hhknpmma.exe Haafcb32.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Ebejfk32.exe File created C:\Windows\SysWOW64\Pjpfjl32.exe Phajna32.exe File opened for modification C:\Windows\SysWOW64\Miaboe32.exe Mbgjbkfg.exe File created C:\Windows\SysWOW64\Ohnohn32.exe Oiknlagg.exe File opened for modification C:\Windows\SysWOW64\Dpgnjo32.exe Dmhand32.exe File opened for modification C:\Windows\SysWOW64\Emmkiclm.exe Ejoomhmi.exe File opened for modification C:\Windows\SysWOW64\Jgbjbp32.exe Jcgnbaeo.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Njkkbehl.exe File created C:\Windows\SysWOW64\Gikdkj32.exe Geohklaa.exe File created C:\Windows\SysWOW64\Ogjkhmfa.dll Hjedffig.exe File created C:\Windows\SysWOW64\Comjoclk.dll Jqhafffk.exe File created C:\Windows\SysWOW64\Fbihneaj.dll Kclgmq32.exe File created C:\Windows\SysWOW64\Lkeekk32.exe Lcnmin32.exe File created C:\Windows\SysWOW64\Eghghj32.dll Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Eblimcdf.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Hlbcnd32.exe Hidgai32.exe File created C:\Windows\SysWOW64\Gmhgag32.dll Hemdlj32.exe File created C:\Windows\SysWOW64\Pipeabep.dll Caageq32.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hlhccj32.exe File created C:\Windows\SysWOW64\Jfegnkqm.dll Dbicpfdk.exe File created C:\Windows\SysWOW64\Hlgdjg32.dll Joahqn32.exe File created C:\Windows\SysWOW64\Lhlndcmq.dll Hgmgqc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1196 4996 Process not Found 1127 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoifflkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olanmgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpkigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmclccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnifekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflibgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhjkabi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejflhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpqnneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afghneoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglbhhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjnjcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmigagd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginnfgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkbkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbloglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkgcea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfodeohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadfkdgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhldpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbobf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaifpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhniccb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoddcef.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfggkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiihahme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acgolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcpjljph.dll" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqpcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnlefae.dll" Cbgnemjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbmemif.dll" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll" Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Podmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlacbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbfbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paplcg32.dll" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgjhf32.dll" Ghmbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeicejia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqkill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmbheilp.dll" Ljdceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbokg32.dll" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" Mokmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikjab32.dll" Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhalefe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emihhjna.dll" Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcmfp32.dll" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odepdabi.dll" Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diinlj32.dll" Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkbmh32.dll" Nliaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkohe32.dll" Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkajf32.dll" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmcjb32.dll" Fjmkoeqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emnbdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmakofh.dll" Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhpfqcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dclkee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnfcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaompd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pffgom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlkepaam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dooaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhjapnj.dll" Hoobdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealkjh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4356 wrote to memory of 4024 4356 4c8fe9f9c2f136840c48a0dff7244f00N.exe 83 PID 4356 wrote to memory of 4024 4356 4c8fe9f9c2f136840c48a0dff7244f00N.exe 83 PID 4356 wrote to memory of 4024 4356 4c8fe9f9c2f136840c48a0dff7244f00N.exe 83 PID 4024 wrote to memory of 4812 4024 Npedmdab.exe 84 PID 4024 wrote to memory of 4812 4024 Npedmdab.exe 84 PID 4024 wrote to memory of 4812 4024 Npedmdab.exe 84 PID 4812 wrote to memory of 4860 4812 Nbcqiope.exe 85 PID 4812 wrote to memory of 4860 4812 Nbcqiope.exe 85 PID 4812 wrote to memory of 4860 4812 Nbcqiope.exe 85 PID 4860 wrote to memory of 3436 4860 Ngomin32.exe 86 PID 4860 wrote to memory of 3436 4860 Ngomin32.exe 86 PID 4860 wrote to memory of 3436 4860 Ngomin32.exe 86 PID 3436 wrote to memory of 3136 3436 Niniei32.exe 87 PID 3436 wrote to memory of 3136 3436 Niniei32.exe 87 PID 3436 wrote to memory of 3136 3436 Niniei32.exe 87 PID 3136 wrote to memory of 4060 3136 Nlleaeff.exe 89 PID 3136 wrote to memory of 4060 3136 Nlleaeff.exe 89 PID 3136 wrote to memory of 4060 3136 Nlleaeff.exe 89 PID 4060 wrote to memory of 216 4060 Ncfmno32.exe 90 PID 4060 wrote to memory of 216 4060 Ncfmno32.exe 90 PID 4060 wrote to memory of 216 4060 Ncfmno32.exe 90 PID 216 wrote to memory of 4616 216 Nipekiep.exe 91 PID 216 wrote to memory of 4616 216 Nipekiep.exe 91 PID 216 wrote to memory of 4616 216 Nipekiep.exe 91 PID 4616 wrote to memory of 3972 4616 Nlnbgddc.exe 92 PID 4616 wrote to memory of 3972 4616 Nlnbgddc.exe 92 PID 4616 wrote to memory of 3972 4616 Nlnbgddc.exe 92 PID 3972 wrote to memory of 3564 3972 Nchjdo32.exe 94 PID 3972 wrote to memory of 3564 3972 Nchjdo32.exe 94 PID 3972 wrote to memory of 3564 3972 Nchjdo32.exe 94 PID 3564 wrote to memory of 3260 3564 Nibbqicm.exe 95 PID 3564 wrote to memory of 3260 3564 Nibbqicm.exe 95 PID 3564 wrote to memory of 3260 3564 Nibbqicm.exe 95 PID 3260 wrote to memory of 4268 3260 Nlqomd32.exe 96 PID 3260 wrote to memory of 4268 3260 Nlqomd32.exe 96 PID 3260 wrote to memory of 4268 3260 Nlqomd32.exe 96 PID 4268 wrote to memory of 560 4268 Ncjginjn.exe 97 PID 4268 wrote to memory of 560 4268 Ncjginjn.exe 97 PID 4268 wrote to memory of 560 4268 Ncjginjn.exe 97 PID 560 wrote to memory of 3932 560 Oeicejia.exe 98 PID 560 wrote to memory of 3932 560 Oeicejia.exe 98 PID 560 wrote to memory of 3932 560 Oeicejia.exe 98 PID 3932 wrote to memory of 764 3932 Olckbd32.exe 99 PID 3932 wrote to memory of 764 3932 Olckbd32.exe 99 PID 3932 wrote to memory of 764 3932 Olckbd32.exe 99 PID 764 wrote to memory of 2172 764 Ooagno32.exe 101 PID 764 wrote to memory of 2172 764 Ooagno32.exe 101 PID 764 wrote to memory of 2172 764 Ooagno32.exe 101 PID 2172 wrote to memory of 3812 2172 Oekpkigo.exe 102 PID 2172 wrote to memory of 3812 2172 Oekpkigo.exe 102 PID 2172 wrote to memory of 3812 2172 Oekpkigo.exe 102 PID 3812 wrote to memory of 4888 3812 Ohjlgefb.exe 103 PID 3812 wrote to memory of 4888 3812 Ohjlgefb.exe 103 PID 3812 wrote to memory of 4888 3812 Ohjlgefb.exe 103 PID 4888 wrote to memory of 1284 4888 Opadhb32.exe 104 PID 4888 wrote to memory of 1284 4888 Opadhb32.exe 104 PID 4888 wrote to memory of 1284 4888 Opadhb32.exe 104 PID 1284 wrote to memory of 3596 1284 Ogklelna.exe 105 PID 1284 wrote to memory of 3596 1284 Ogklelna.exe 105 PID 1284 wrote to memory of 3596 1284 Ogklelna.exe 105 PID 3596 wrote to memory of 1180 3596 Oiihahme.exe 106 PID 3596 wrote to memory of 1180 3596 Oiihahme.exe 106 PID 3596 wrote to memory of 1180 3596 Oiihahme.exe 106 PID 1180 wrote to memory of 3460 1180 Oiihahme.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c8fe9f9c2f136840c48a0dff7244f00N.exe"C:\Users\Admin\AppData\Local\Temp\4c8fe9f9c2f136840c48a0dff7244f00N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Nlleaeff.exeC:\Windows\system32\Nlleaeff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Nlnbgddc.exeC:\Windows\system32\Nlnbgddc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Oeicejia.exeC:\Windows\system32\Oeicejia.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Oekpkigo.exeC:\Windows\system32\Oekpkigo.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\Opadhb32.exeC:\Windows\system32\Opadhb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe23⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe24⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe25⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe26⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe27⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe28⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe29⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe30⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe31⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe32⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe33⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe34⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe35⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe36⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe37⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe38⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe39⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe40⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe42⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe43⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe45⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe46⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3308 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe48⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe49⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe52⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe56⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4208 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\SysWOW64\Acilajpk.exeC:\Windows\system32\Acilajpk.exe61⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe63⤵
- Executes dropped EXE
PID:3484 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe64⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe65⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe66⤵PID:1192
-
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe67⤵PID:3244
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe68⤵PID:1088
-
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe69⤵PID:3192
-
C:\Windows\SysWOW64\Agiamhdo.exeC:\Windows\system32\Agiamhdo.exe70⤵PID:4340
-
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe71⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe72⤵PID:1684
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe73⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe74⤵PID:1152
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe75⤵PID:3200
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe76⤵PID:3204
-
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe77⤵PID:2816
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe78⤵PID:1184
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe79⤵PID:4840
-
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4996 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe81⤵PID:4832
-
C:\Windows\SysWOW64\Boklbi32.exeC:\Windows\system32\Boklbi32.exe82⤵PID:3540
-
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe83⤵PID:864
-
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe84⤵PID:4220
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe86⤵PID:4572
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe87⤵PID:3908
-
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe88⤵PID:4384
-
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe89⤵PID:5012
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe90⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe91⤵PID:3180
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe92⤵PID:3092
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe93⤵PID:3772
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe94⤵PID:1100
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe95⤵PID:756
-
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3476 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe97⤵PID:2792
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe98⤵PID:1764
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe99⤵PID:1672
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe100⤵PID:5128
-
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe101⤵PID:5164
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe102⤵PID:5208
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe103⤵PID:5252
-
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe104⤵PID:5296
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe105⤵PID:5340
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe106⤵PID:5388
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe107⤵PID:5432
-
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe108⤵PID:5476
-
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe109⤵PID:5540
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe110⤵
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe111⤵PID:5648
-
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe112⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe113⤵PID:5740
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe114⤵PID:5784
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe115⤵PID:5828
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe116⤵PID:5872
-
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe117⤵PID:5916
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe118⤵PID:5960
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe119⤵PID:6004
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe120⤵PID:6048
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe121⤵PID:6092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-