Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 13:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe
-
Size
96KB
-
MD5
1fff3f433ff5ef742a61659c55001c25
-
SHA1
da5903eb7137ec24c017c7bbbc751b7a648f3a5b
-
SHA256
e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b
-
SHA512
76134957614441dea3e32cfa32398f3881dfbafdf720d62c63223ca34773fe9abd5c5602ee10036aae556df03e1f8d51324d12b3a40876b5ae560c29f90daab3
-
SSDEEP
1536:hfJnJAOF9C+gbG6m6myNvDP1Wt9ZQI4Cus7CqgDD6xTduV9jojTIvjrH:Dn+OZSmyNvD1Wt9uI4vs7jnxTd69jc0X
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpacfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajgkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fihcfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllgkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnjmdnfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgihdbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhpbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqnfif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjpnhjfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnolofdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkcdhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfqelag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndohodbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkiqknid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfoeammb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffibmang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcaego32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmhgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebocaonb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijmkdij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkfdacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfbbdpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmjmdhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ongfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbkfdacn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifbgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eokfom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmajajcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebeegen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qilmgdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bomagajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acdpcefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpaqkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehppng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piegfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjqnlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoeammb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iidobf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicfhmqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diadna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pendaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qadnlqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffoabfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Allooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijlaiibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fafahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gakjcjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amofch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmlbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfllbnje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfllbnje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgniebbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goneadkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coeemmkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqhopbgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeabqml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkoed32.exe -
Executes dropped EXE 64 IoCs
pid Process 3728 Obglib32.exe 3020 Oiqdflop.exe 3624 Ppkmbffm.exe 2216 Pfdeop32.exe 4644 Picakl32.exe 2456 Pbkfdacn.exe 1328 Pejbqmca.exe 4464 Pmajajcd.exe 3044 Ppofnebg.exe 4408 Pfinjpjd.exe 2928 Plfgbfhl.exe 4916 Pbpooq32.exe 2716 Peokll32.exe 4692 Pogpdaem.exe 2240 Pildaj32.exe 2856 Qpflndlp.exe 1584 Qbehjplc.exe 4528 Qecegkkg.exe 4968 Qmjmhiki.exe 1932 Qeealk32.exe 2752 Apkfid32.exe 3144 Afenfnpg.exe 4532 Amofch32.exe 4860 Apmboc32.exe 1116 Aejkgj32.exe 4476 Appodcde.exe 2692 Aihcmi32.exe 3344 Apbljcbb.exe 4660 Agldgm32.exe 4080 Alimodhf.exe 3148 Aogikogj.exe 3836 Bmhiig32.exe 2724 Bojeaoeg.exe 2504 Becnni32.exe 4300 Blnfjc32.exe 3396 Bolbfo32.exe 3016 Bgcjgl32.exe 3368 Bnmbdfkd.exe 3320 Bonoln32.exe 3092 Behgihho.exe 5108 Blboeb32.exe 1972 Boqlanop.exe 3436 Bekdnh32.exe 1620 Bldlkbni.exe 2336 Bochgnmm.exe 5036 Bgjphkno.exe 336 Clgiqblf.exe 1068 Coeemmkj.exe 1600 Cglmnk32.exe 3356 Cliefa32.exe 1892 Cohbbm32.exe 860 Cjmfof32.exe 4984 Cpgnlppj.exe 924 Cnkoed32.exe 780 Cpikap32.exe 4980 Cgccnjed.exe 3720 Cnmkkd32.exe 4540 Cplhgo32.exe 2056 Ccjdck32.exe 4012 Djdlpe32.exe 744 Dqndmojb.exe 4996 Dcmqijif.exe 2848 Djfied32.exe 4200 Dleeap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pogpdaem.exe Peokll32.exe File created C:\Windows\SysWOW64\Gjqnio32.exe Ghbamc32.exe File created C:\Windows\SysWOW64\Opmbqnpm.dll Kkbmkhej.exe File created C:\Windows\SysWOW64\Mkkkdf32.exe Lqfggm32.exe File opened for modification C:\Windows\SysWOW64\Pnfijkaa.exe Ppcino32.exe File created C:\Windows\SysWOW64\Hjaplgej.dll Kihbcpog.exe File created C:\Windows\SysWOW64\Lahkkaof.dll Cenpdk32.exe File created C:\Windows\SysWOW64\Iinplmai.exe Icagcfca.exe File created C:\Windows\SysWOW64\Pcjnclme.dll Fkecjajp.exe File created C:\Windows\SysWOW64\Cbofbc32.dll Cliefa32.exe File created C:\Windows\SysWOW64\Lcocncig.exe Lpqgahjd.exe File created C:\Windows\SysWOW64\Kfklahfe.dll Dbifon32.exe File created C:\Windows\SysWOW64\Lbbjaa32.dll Cacbdoil.exe File created C:\Windows\SysWOW64\Gfloca32.exe Gcmbffmq.exe File created C:\Windows\SysWOW64\Mdeaqpje.dll Dcjmid32.exe File created C:\Windows\SysWOW64\Biahgg32.dll Ippedl32.exe File created C:\Windows\SysWOW64\Gdmaia32.exe Goqiaj32.exe File created C:\Windows\SysWOW64\Jkbddk32.exe Idhlgalp.exe File opened for modification C:\Windows\SysWOW64\Echijbkm.exe Eolmjd32.exe File created C:\Windows\SysWOW64\Lehodi32.exe Ldfbmabf.exe File created C:\Windows\SysWOW64\Fniolbhj.exe Fofoqe32.exe File opened for modification C:\Windows\SysWOW64\Oicfhmqm.exe Oehjgn32.exe File created C:\Windows\SysWOW64\Gealgp32.dll Hppcgehg.exe File created C:\Windows\SysWOW64\Adcaqo32.dll Pmeoklcg.exe File opened for modification C:\Windows\SysWOW64\Pojafbgj.exe Phpijh32.exe File created C:\Windows\SysWOW64\Accihocc.exe Amiale32.exe File created C:\Windows\SysWOW64\Abmiejjp.dll Mpjjhfai.exe File opened for modification C:\Windows\SysWOW64\Kmedoh32.exe Kfllbnje.exe File opened for modification C:\Windows\SysWOW64\Lebooc32.exe Lbdbbh32.exe File opened for modification C:\Windows\SysWOW64\Mofbcg32.exe Mlhfgl32.exe File created C:\Windows\SysWOW64\Eioppo32.exe Ehnchgbf.exe File created C:\Windows\SysWOW64\Pjgboqdc.exe Pdjjgifl.exe File created C:\Windows\SysWOW64\Nkpifn32.dll Bcicebdf.exe File opened for modification C:\Windows\SysWOW64\Banacc32.exe Blahkl32.exe File opened for modification C:\Windows\SysWOW64\Dldngj32.exe Dcljodej.exe File created C:\Windows\SysWOW64\Fmlenlan.dll Fcalqacb.exe File created C:\Windows\SysWOW64\Mkndgpco.dll Lapckk32.exe File created C:\Windows\SysWOW64\Dogmdncm.exe Dhmegdlq.exe File created C:\Windows\SysWOW64\Efjcechb.dll Njpcgd32.exe File opened for modification C:\Windows\SysWOW64\Cjlgme32.exe Cacbdoil.exe File created C:\Windows\SysWOW64\Fpphblkg.dll Ehnchgbf.exe File created C:\Windows\SysWOW64\Hkaeea32.dll Kgbhokqf.exe File opened for modification C:\Windows\SysWOW64\Fjbahq32.exe Ffgehbpj.exe File created C:\Windows\SysWOW64\Ckfoabml.exe Cdlfeh32.exe File created C:\Windows\SysWOW64\Phfgee32.dll Coiqcp32.exe File opened for modification C:\Windows\SysWOW64\Edmhbcij.exe Eaolfhjf.exe File created C:\Windows\SysWOW64\Doclih32.dll Pfgmcbpp.exe File created C:\Windows\SysWOW64\Gkdffe32.exe Gdjnikjo.exe File created C:\Windows\SysWOW64\Boqlanop.exe Blboeb32.exe File opened for modification C:\Windows\SysWOW64\Ancnac32.exe Ahjfdi32.exe File created C:\Windows\SysWOW64\Dolcbb32.dll Fkmpefgc.exe File opened for modification C:\Windows\SysWOW64\Cigahb32.exe Cckipl32.exe File created C:\Windows\SysWOW64\Jdkacp32.dll Cmcmiaei.exe File opened for modification C:\Windows\SysWOW64\Ogndlcfd.exe Oikdpf32.exe File opened for modification C:\Windows\SysWOW64\Pccglh32.exe Omjoonmd.exe File created C:\Windows\SysWOW64\Calldppd.exe Cjbdgf32.exe File created C:\Windows\SysWOW64\Qonajb32.dll Bhhipm32.exe File created C:\Windows\SysWOW64\Oonfmn32.dll Jdpjpj32.exe File opened for modification C:\Windows\SysWOW64\Kcccbe32.exe Kmfkjn32.exe File created C:\Windows\SysWOW64\Ipmnhfii.dll Lmmajm32.exe File opened for modification C:\Windows\SysWOW64\Pqhopbgf.exe Pnjbdg32.exe File created C:\Windows\SysWOW64\Ehkgbgdi.exe Daaofm32.exe File created C:\Windows\SysWOW64\Kihgag32.dll Okkfgk32.exe File created C:\Windows\SysWOW64\Eeqeah32.exe Dogmdncm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14872 14792 WerFault.exe 1053 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplceoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnepbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomagajk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnofpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndohodbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogmdncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogobigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbmcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbodfnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjghnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aelqbdoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeqeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcdbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmlbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdadjjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdhkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpacfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pliheg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacbdoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmemnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffibmang.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaphhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpldao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkehdadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfnkdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqomcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjmhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icagcfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbbhohi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifndm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqeeqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbkgoqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggffeagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbioocl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmlgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfldjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcolo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baiqnnka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoeehbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmpefgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglgfbjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmlfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pipnkfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgqbdafe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbcdhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchfdbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goneadkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihcfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmajajcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbionk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olefdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakppdgp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gahiqieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhndihaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgohiamk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojjmhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlimab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocngfbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehbmcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clgiqblf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbdbbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaodpcip.dll" Oicfhmqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaacpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icdkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Megaqqff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oggfaapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ideanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflbpb32.dll" Ilohnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjlga32.dll" Degkpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbljdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpjcdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjncepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edmhbcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjennp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eehkageb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmeoklcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Echpdioi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldfbmabf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olbioocl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaogmhop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndaloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cacjnbfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcmcg32.dll" Dogdodgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdnfqhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdepdilg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooehkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmllddgh.dll" Qagblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egaknjmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nglgfbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noihpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcdefid.dll" Dfjncepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gakjcjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ideanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbnhijcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncdeppgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpjbjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnhoeelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqmjinfg.dll" Pchaggql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggfmpgke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjpnhjfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnjbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebaledk.dll" Mphlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmjmhiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baiqnnka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjhdml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgdele32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iombakfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clcpbgde.dll" Gaqkho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idfoaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejbqmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoaaofm.dll" Iaphhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaiknd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmmhco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbkjmppa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkimem32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3728 2532 e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe 90 PID 2532 wrote to memory of 3728 2532 e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe 90 PID 2532 wrote to memory of 3728 2532 e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe 90 PID 3728 wrote to memory of 3020 3728 Obglib32.exe 91 PID 3728 wrote to memory of 3020 3728 Obglib32.exe 91 PID 3728 wrote to memory of 3020 3728 Obglib32.exe 91 PID 3020 wrote to memory of 3624 3020 Oiqdflop.exe 92 PID 3020 wrote to memory of 3624 3020 Oiqdflop.exe 92 PID 3020 wrote to memory of 3624 3020 Oiqdflop.exe 92 PID 3624 wrote to memory of 2216 3624 Ppkmbffm.exe 93 PID 3624 wrote to memory of 2216 3624 Ppkmbffm.exe 93 PID 3624 wrote to memory of 2216 3624 Ppkmbffm.exe 93 PID 2216 wrote to memory of 4644 2216 Pfdeop32.exe 95 PID 2216 wrote to memory of 4644 2216 Pfdeop32.exe 95 PID 2216 wrote to memory of 4644 2216 Pfdeop32.exe 95 PID 4644 wrote to memory of 2456 4644 Picakl32.exe 96 PID 4644 wrote to memory of 2456 4644 Picakl32.exe 96 PID 4644 wrote to memory of 2456 4644 Picakl32.exe 96 PID 2456 wrote to memory of 1328 2456 Pbkfdacn.exe 97 PID 2456 wrote to memory of 1328 2456 Pbkfdacn.exe 97 PID 2456 wrote to memory of 1328 2456 Pbkfdacn.exe 97 PID 1328 wrote to memory of 4464 1328 Pejbqmca.exe 99 PID 1328 wrote to memory of 4464 1328 Pejbqmca.exe 99 PID 1328 wrote to memory of 4464 1328 Pejbqmca.exe 99 PID 4464 wrote to memory of 3044 4464 Pmajajcd.exe 100 PID 4464 wrote to memory of 3044 4464 Pmajajcd.exe 100 PID 4464 wrote to memory of 3044 4464 Pmajajcd.exe 100 PID 3044 wrote to memory of 4408 3044 Ppofnebg.exe 101 PID 3044 wrote to memory of 4408 3044 Ppofnebg.exe 101 PID 3044 wrote to memory of 4408 3044 Ppofnebg.exe 101 PID 4408 wrote to memory of 2928 4408 Pfinjpjd.exe 102 PID 4408 wrote to memory of 2928 4408 Pfinjpjd.exe 102 PID 4408 wrote to memory of 2928 4408 Pfinjpjd.exe 102 PID 2928 wrote to memory of 4916 2928 Plfgbfhl.exe 104 PID 2928 wrote to memory of 4916 2928 Plfgbfhl.exe 104 PID 2928 wrote to memory of 4916 2928 Plfgbfhl.exe 104 PID 4916 wrote to memory of 2716 4916 Pbpooq32.exe 105 PID 4916 wrote to memory of 2716 4916 Pbpooq32.exe 105 PID 4916 wrote to memory of 2716 4916 Pbpooq32.exe 105 PID 2716 wrote to memory of 4692 2716 Peokll32.exe 106 PID 2716 wrote to memory of 4692 2716 Peokll32.exe 106 PID 2716 wrote to memory of 4692 2716 Peokll32.exe 106 PID 4692 wrote to memory of 2240 4692 Pogpdaem.exe 107 PID 4692 wrote to memory of 2240 4692 Pogpdaem.exe 107 PID 4692 wrote to memory of 2240 4692 Pogpdaem.exe 107 PID 2240 wrote to memory of 2856 2240 Pildaj32.exe 108 PID 2240 wrote to memory of 2856 2240 Pildaj32.exe 108 PID 2240 wrote to memory of 2856 2240 Pildaj32.exe 108 PID 2856 wrote to memory of 1584 2856 Qpflndlp.exe 109 PID 2856 wrote to memory of 1584 2856 Qpflndlp.exe 109 PID 2856 wrote to memory of 1584 2856 Qpflndlp.exe 109 PID 1584 wrote to memory of 4528 1584 Qbehjplc.exe 110 PID 1584 wrote to memory of 4528 1584 Qbehjplc.exe 110 PID 1584 wrote to memory of 4528 1584 Qbehjplc.exe 110 PID 4528 wrote to memory of 4968 4528 Qecegkkg.exe 111 PID 4528 wrote to memory of 4968 4528 Qecegkkg.exe 111 PID 4528 wrote to memory of 4968 4528 Qecegkkg.exe 111 PID 4968 wrote to memory of 1932 4968 Qmjmhiki.exe 112 PID 4968 wrote to memory of 1932 4968 Qmjmhiki.exe 112 PID 4968 wrote to memory of 1932 4968 Qmjmhiki.exe 112 PID 1932 wrote to memory of 2752 1932 Qeealk32.exe 113 PID 1932 wrote to memory of 2752 1932 Qeealk32.exe 113 PID 1932 wrote to memory of 2752 1932 Qeealk32.exe 113 PID 2752 wrote to memory of 3144 2752 Apkfid32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe"C:\Users\Admin\AppData\Local\Temp\e92bae3a9f856657ffe2ad8642b0100e0e4febdf1e1b3bdfcbe3d268d78bc34b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Obglib32.exeC:\Windows\system32\Obglib32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Oiqdflop.exeC:\Windows\system32\Oiqdflop.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ppkmbffm.exeC:\Windows\system32\Ppkmbffm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Pfdeop32.exeC:\Windows\system32\Pfdeop32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Picakl32.exeC:\Windows\system32\Picakl32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Pbkfdacn.exeC:\Windows\system32\Pbkfdacn.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Pejbqmca.exeC:\Windows\system32\Pejbqmca.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Pmajajcd.exeC:\Windows\system32\Pmajajcd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Ppofnebg.exeC:\Windows\system32\Ppofnebg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Pfinjpjd.exeC:\Windows\system32\Pfinjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Plfgbfhl.exeC:\Windows\system32\Plfgbfhl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Pbpooq32.exeC:\Windows\system32\Pbpooq32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Peokll32.exeC:\Windows\system32\Peokll32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Pogpdaem.exeC:\Windows\system32\Pogpdaem.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Pildaj32.exeC:\Windows\system32\Pildaj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Qpflndlp.exeC:\Windows\system32\Qpflndlp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Qbehjplc.exeC:\Windows\system32\Qbehjplc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Qecegkkg.exeC:\Windows\system32\Qecegkkg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Qmjmhiki.exeC:\Windows\system32\Qmjmhiki.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Qeealk32.exeC:\Windows\system32\Qeealk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Apkfid32.exeC:\Windows\system32\Apkfid32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Afenfnpg.exeC:\Windows\system32\Afenfnpg.exe23⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Amofch32.exeC:\Windows\system32\Amofch32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Apmboc32.exeC:\Windows\system32\Apmboc32.exe25⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Aejkgj32.exeC:\Windows\system32\Aejkgj32.exe26⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Appodcde.exeC:\Windows\system32\Appodcde.exe27⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe28⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Apbljcbb.exeC:\Windows\system32\Apbljcbb.exe29⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe30⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Alimodhf.exeC:\Windows\system32\Alimodhf.exe31⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Aogikogj.exeC:\Windows\system32\Aogikogj.exe32⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Bmhiig32.exeC:\Windows\system32\Bmhiig32.exe33⤵
- Executes dropped EXE
PID:3836 -
C:\Windows\SysWOW64\Bojeaoeg.exeC:\Windows\system32\Bojeaoeg.exe34⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Becnni32.exeC:\Windows\system32\Becnni32.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Blnfjc32.exeC:\Windows\system32\Blnfjc32.exe36⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Bolbfo32.exeC:\Windows\system32\Bolbfo32.exe37⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Bgcjgl32.exeC:\Windows\system32\Bgcjgl32.exe38⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bnmbdfkd.exeC:\Windows\system32\Bnmbdfkd.exe39⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Bonoln32.exeC:\Windows\system32\Bonoln32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Behgihho.exeC:\Windows\system32\Behgihho.exe41⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Blboeb32.exeC:\Windows\system32\Blboeb32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5108 -
C:\Windows\SysWOW64\Boqlanop.exeC:\Windows\system32\Boqlanop.exe43⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Bekdnh32.exeC:\Windows\system32\Bekdnh32.exe44⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Bldlkbni.exeC:\Windows\system32\Bldlkbni.exe45⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Bochgnmm.exeC:\Windows\system32\Bochgnmm.exe46⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bgjphkno.exeC:\Windows\system32\Bgjphkno.exe47⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Clgiqblf.exeC:\Windows\system32\Clgiqblf.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Coeemmkj.exeC:\Windows\system32\Coeemmkj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Cglmnk32.exeC:\Windows\system32\Cglmnk32.exe50⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Cliefa32.exeC:\Windows\system32\Cliefa32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Cohbbm32.exeC:\Windows\system32\Cohbbm32.exe52⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Cjmfof32.exeC:\Windows\system32\Cjmfof32.exe53⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Cpgnlppj.exeC:\Windows\system32\Cpgnlppj.exe54⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Cnkoed32.exeC:\Windows\system32\Cnkoed32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Cpikap32.exeC:\Windows\system32\Cpikap32.exe56⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Cgccnjed.exeC:\Windows\system32\Cgccnjed.exe57⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Cnmkkd32.exeC:\Windows\system32\Cnmkkd32.exe58⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\Cplhgo32.exeC:\Windows\system32\Cplhgo32.exe59⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ccjdck32.exeC:\Windows\system32\Ccjdck32.exe60⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Djdlpe32.exeC:\Windows\system32\Djdlpe32.exe61⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Dqndmojb.exeC:\Windows\system32\Dqndmojb.exe62⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Dcmqijif.exeC:\Windows\system32\Dcmqijif.exe63⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Djfied32.exeC:\Windows\system32\Djfied32.exe64⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Dleeap32.exeC:\Windows\system32\Dleeap32.exe65⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Dcomojgc.exeC:\Windows\system32\Dcomojgc.exe66⤵PID:1772
-
C:\Windows\SysWOW64\Djiekdnp.exeC:\Windows\system32\Djiekdnp.exe67⤵PID:2224
-
C:\Windows\SysWOW64\Dmgbgpnd.exeC:\Windows\system32\Dmgbgpnd.exe68⤵PID:1596
-
C:\Windows\SysWOW64\Dgmfdhmj.exeC:\Windows\system32\Dgmfdhmj.exe69⤵PID:4776
-
C:\Windows\SysWOW64\Dqejmn32.exeC:\Windows\system32\Dqejmn32.exe70⤵PID:3312
-
C:\Windows\SysWOW64\Dccgii32.exeC:\Windows\system32\Dccgii32.exe71⤵PID:704
-
C:\Windows\SysWOW64\Dnikgbbd.exeC:\Windows\system32\Dnikgbbd.exe72⤵PID:4564
-
C:\Windows\SysWOW64\Dcfcoiak.exeC:\Windows\system32\Dcfcoiak.exe73⤵PID:5172
-
C:\Windows\SysWOW64\Ejpllc32.exeC:\Windows\system32\Ejpllc32.exe74⤵PID:5232
-
C:\Windows\SysWOW64\Enkhlbqa.exeC:\Windows\system32\Enkhlbqa.exe75⤵PID:5272
-
C:\Windows\SysWOW64\Echpdioi.exeC:\Windows\system32\Echpdioi.exe76⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Ejbhac32.exeC:\Windows\system32\Ejbhac32.exe77⤵PID:5352
-
C:\Windows\SysWOW64\Enpaga32.exeC:\Windows\system32\Enpaga32.exe78⤵PID:5396
-
C:\Windows\SysWOW64\Eqomcm32.exeC:\Windows\system32\Eqomcm32.exe79⤵
- System Location Discovery: System Language Discovery
PID:5436 -
C:\Windows\SysWOW64\Efkflc32.exeC:\Windows\system32\Efkflc32.exe80⤵PID:5476
-
C:\Windows\SysWOW64\Ecofehiq.exeC:\Windows\system32\Ecofehiq.exe81⤵PID:5516
-
C:\Windows\SysWOW64\Efnbachd.exeC:\Windows\system32\Efnbachd.exe82⤵PID:5560
-
C:\Windows\SysWOW64\Ecackggn.exeC:\Windows\system32\Ecackggn.exe83⤵PID:5604
-
C:\Windows\SysWOW64\Fjlkga32.exeC:\Windows\system32\Fjlkga32.exe84⤵PID:5648
-
C:\Windows\SysWOW64\Fcdpqg32.exeC:\Windows\system32\Fcdpqg32.exe85⤵PID:5692
-
C:\Windows\SysWOW64\Fjnhmalh.exeC:\Windows\system32\Fjnhmalh.exe86⤵PID:5736
-
C:\Windows\SysWOW64\Fcflfg32.exeC:\Windows\system32\Fcflfg32.exe87⤵PID:5784
-
C:\Windows\SysWOW64\Fnlqcp32.exeC:\Windows\system32\Fnlqcp32.exe88⤵PID:5828
-
C:\Windows\SysWOW64\Fgdele32.exeC:\Windows\system32\Fgdele32.exe89⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Ffgehbpj.exeC:\Windows\system32\Ffgehbpj.exe90⤵
- Drops file in System32 directory
PID:5920 -
C:\Windows\SysWOW64\Fjbahq32.exeC:\Windows\system32\Fjbahq32.exe91⤵PID:5976
-
C:\Windows\SysWOW64\Fmandl32.exeC:\Windows\system32\Fmandl32.exe92⤵PID:6020
-
C:\Windows\SysWOW64\Fppjqg32.exeC:\Windows\system32\Fppjqg32.exe93⤵PID:6080
-
C:\Windows\SysWOW64\Fckfafoc.exeC:\Windows\system32\Fckfafoc.exe94⤵PID:6136
-
C:\Windows\SysWOW64\Ffibmang.exeC:\Windows\system32\Ffibmang.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\Fjennp32.exeC:\Windows\system32\Fjennp32.exe96⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Fnqjnoni.exeC:\Windows\system32\Fnqjnoni.exe97⤵PID:5468
-
C:\Windows\SysWOW64\Faofjjnm.exeC:\Windows\system32\Faofjjnm.exe98⤵PID:5568
-
C:\Windows\SysWOW64\Gcmbffmq.exeC:\Windows\system32\Gcmbffmq.exe99⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Gfloca32.exeC:\Windows\system32\Gfloca32.exe100⤵PID:5744
-
C:\Windows\SysWOW64\Gjgkcpdm.exeC:\Windows\system32\Gjgkcpdm.exe101⤵PID:5880
-
C:\Windows\SysWOW64\Gmfgpkca.exeC:\Windows\system32\Gmfgpkca.exe102⤵PID:5936
-
C:\Windows\SysWOW64\Gaacpj32.exeC:\Windows\system32\Gaacpj32.exe103⤵
- Modifies registry class
PID:6008 -
C:\Windows\SysWOW64\Gcpole32.exeC:\Windows\system32\Gcpole32.exe104⤵PID:6124
-
C:\Windows\SysWOW64\Gnecin32.exeC:\Windows\system32\Gnecin32.exe105⤵PID:5308
-
C:\Windows\SysWOW64\Gpfpafpb.exeC:\Windows\system32\Gpfpafpb.exe106⤵PID:5472
-
C:\Windows\SysWOW64\Gcblae32.exeC:\Windows\system32\Gcblae32.exe107⤵PID:5612
-
C:\Windows\SysWOW64\Gfqhnq32.exeC:\Windows\system32\Gfqhnq32.exe108⤵PID:5820
-
C:\Windows\SysWOW64\Gngponha.exeC:\Windows\system32\Gngponha.exe109⤵PID:5984
-
C:\Windows\SysWOW64\Gmjqkk32.exeC:\Windows\system32\Gmjqkk32.exe110⤵PID:6088
-
C:\Windows\SysWOW64\Gfcecpel.exeC:\Windows\system32\Gfcecpel.exe111⤵PID:5416
-
C:\Windows\SysWOW64\Gnjmdnfo.exeC:\Windows\system32\Gnjmdnfo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Gahiqieb.exeC:\Windows\system32\Gahiqieb.exe113⤵
- Modifies registry class
PID:6040 -
C:\Windows\SysWOW64\Ghbamc32.exeC:\Windows\system32\Ghbamc32.exe114⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Gjqnio32.exeC:\Windows\system32\Gjqnio32.exe115⤵PID:5572
-
C:\Windows\SysWOW64\Hpnfbejj.exeC:\Windows\system32\Hpnfbejj.exe116⤵PID:6056
-
C:\Windows\SysWOW64\Hfgnop32.exeC:\Windows\system32\Hfgnop32.exe117⤵PID:5628
-
C:\Windows\SysWOW64\Hnofpm32.exeC:\Windows\system32\Hnofpm32.exe118⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\SysWOW64\Hppcgehg.exeC:\Windows\system32\Hppcgehg.exe119⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Hjegdnhm.exeC:\Windows\system32\Hjegdnhm.exe120⤵PID:1312
-
C:\Windows\SysWOW64\Hncpklnd.exeC:\Windows\system32\Hncpklnd.exe121⤵PID:6164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-