Analysis
-
max time kernel
174s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:28
Behavioral task
behavioral1
Sample
NEAS.cf5182eec47c297e303016391c2e1550.exe
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.cf5182eec47c297e303016391c2e1550.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.cf5182eec47c297e303016391c2e1550.exe
-
Size
416KB
-
MD5
cf5182eec47c297e303016391c2e1550
-
SHA1
8e5d0fe2d219fe9c15e67fc3005c8e8fdfcae866
-
SHA256
23f7c81c7232ed40430ff0dd86f78485e95c901d734500afa77a1f6056dbf4d2
-
SHA512
050fa73fbf66285b1a7945d40ad055a6fc9d9d2ca7cea77141a7fe0c5d6a3c38e9d0b70637f35045ac8ce1fb06757ea5bc65a35cfa7ae37f1594c9002a311dc8
-
SSDEEP
12288:OUYJ07kE0KoFtw2gu9RxrBIUbPLwH96/I0lOZ0vbqFB:3YJ07kE0KoFtw2gu9RxrBIUbPLwH96/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdiei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnealfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mekmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kngkqbgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdnbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdlpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebaplnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odfcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogkcihgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhlnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpiobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boihcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclacmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeqclfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naecieef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloaamqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcnalbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knqepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohnpoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoboofnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhkmcbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apekha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmmokgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pekkhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdpih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjpgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abedil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmepcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalomaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndnjllg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giqjdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nihdhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knaldo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkjnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiackied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obnebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpenfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olgdgibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Legjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldccid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbadlnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiekhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qbmpjkqk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfhqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mledgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfagcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahfkimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcggbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnmkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkidme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanpml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pogpcghp.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022d7c-8.dat family_berbew behavioral2/files/0x0007000000022d7c-6.dat family_berbew behavioral2/files/0x0008000000022d79-14.dat family_berbew behavioral2/files/0x000a000000022e4b-22.dat family_berbew behavioral2/files/0x000a000000022e4b-23.dat family_berbew behavioral2/files/0x0007000000022e4f-30.dat family_berbew behavioral2/files/0x0007000000022e4f-31.dat family_berbew behavioral2/files/0x0008000000022d79-15.dat family_berbew behavioral2/files/0x0009000000022d92-38.dat family_berbew behavioral2/files/0x0009000000022d92-40.dat family_berbew behavioral2/files/0x0008000000022d72-48.dat family_berbew behavioral2/files/0x0008000000022d72-46.dat family_berbew behavioral2/files/0x0007000000022e60-54.dat family_berbew behavioral2/files/0x0007000000022e60-56.dat family_berbew behavioral2/files/0x0006000000022e6b-64.dat family_berbew behavioral2/files/0x0006000000022e6b-62.dat family_berbew behavioral2/files/0x0006000000022e6d-70.dat family_berbew behavioral2/files/0x0006000000022e6d-72.dat family_berbew behavioral2/files/0x0006000000022e6f-80.dat family_berbew behavioral2/files/0x0006000000022e6f-78.dat family_berbew behavioral2/files/0x0006000000022e71-86.dat family_berbew behavioral2/files/0x0006000000022e71-88.dat family_berbew behavioral2/files/0x0006000000022e73-94.dat family_berbew behavioral2/files/0x0006000000022e73-96.dat family_berbew behavioral2/files/0x0006000000022e75-102.dat family_berbew behavioral2/files/0x0006000000022e75-104.dat family_berbew behavioral2/files/0x0006000000022e77-105.dat family_berbew behavioral2/files/0x0006000000022e77-112.dat family_berbew behavioral2/files/0x0007000000022da2-118.dat family_berbew behavioral2/files/0x0007000000022da2-120.dat family_berbew behavioral2/files/0x0006000000022e77-110.dat family_berbew behavioral2/files/0x0006000000022e7a-126.dat family_berbew behavioral2/files/0x0006000000022e7a-128.dat family_berbew behavioral2/files/0x0006000000022e7c-135.dat family_berbew behavioral2/files/0x0006000000022e7e-142.dat family_berbew behavioral2/files/0x0006000000022e7e-143.dat family_berbew behavioral2/files/0x0006000000022e80-150.dat family_berbew behavioral2/files/0x0006000000022e80-151.dat family_berbew behavioral2/files/0x0006000000022e7c-134.dat family_berbew behavioral2/files/0x0006000000022e82-158.dat family_berbew behavioral2/files/0x0006000000022e82-160.dat family_berbew behavioral2/files/0x0006000000022e86-166.dat family_berbew behavioral2/files/0x0006000000022e86-168.dat family_berbew behavioral2/files/0x0006000000022e8c-169.dat family_berbew behavioral2/files/0x0006000000022e8c-174.dat family_berbew behavioral2/files/0x0006000000022e8c-176.dat family_berbew behavioral2/files/0x0006000000022e8e-183.dat family_berbew behavioral2/files/0x0007000000022e8a-190.dat family_berbew behavioral2/files/0x0007000000022e8a-191.dat family_berbew behavioral2/files/0x0006000000022e8e-182.dat family_berbew behavioral2/files/0x0007000000022e88-198.dat family_berbew behavioral2/files/0x0007000000022e88-199.dat family_berbew behavioral2/files/0x0006000000022e93-206.dat family_berbew behavioral2/files/0x0006000000022e93-207.dat family_berbew behavioral2/files/0x0006000000022e97-214.dat family_berbew behavioral2/files/0x0006000000022e97-216.dat family_berbew behavioral2/files/0x0006000000022e9c-217.dat family_berbew behavioral2/files/0x0006000000022e9c-222.dat family_berbew behavioral2/files/0x0006000000022e9c-224.dat family_berbew behavioral2/files/0x0006000000022e9e-230.dat family_berbew behavioral2/files/0x0006000000022e9e-232.dat family_berbew behavioral2/files/0x0007000000022e99-234.dat family_berbew behavioral2/files/0x0007000000022e99-238.dat family_berbew behavioral2/files/0x0007000000022e99-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4740 Jgkmgk32.exe 3116 Jgmjmjnb.exe 2400 Jpenfp32.exe 1440 Jebfng32.exe 2544 Komhll32.exe 2256 Knnhjcog.exe 4924 Knqepc32.exe 828 Kgiiiidd.exe 3788 Knenkbio.exe 1792 Kngkqbgl.exe 4856 Lgpoihnl.exe 4120 Lcgpni32.exe 3056 Lgdidgjg.exe 3592 Lqmmmmph.exe 1148 Lmdnbn32.exe 3896 Mcpcdg32.exe 3560 Mfchlbfd.exe 1316 Mokmdh32.exe 4408 Mnmmboed.exe 4972 Mgeakekd.exe 4772 Njfkmphe.exe 3268 Nflkbanj.exe 3180 Njjdho32.exe 2648 Ncchae32.exe 2540 Njmqnobn.exe 2072 Onkidm32.exe 4864 Onmfimga.exe 4268 Onocomdo.exe 2232 Omdppiif.exe 2784 Pmblagmf.exe 3236 Aknbkjfh.exe 4388 Agdcpkll.exe 3288 Akdilipp.exe 1312 Bkgeainn.exe 4428 Bmjkic32.exe 4560 Bgbpaipl.exe 3940 Boihcf32.exe 4508 Bdfpkm32.exe 4564 Bnoddcef.exe 2492 Cggimh32.exe 3428 Cnaaib32.exe 2844 Cdkifmjq.exe 1772 Cgifbhid.exe 4368 Cglbhhga.exe 2956 Cacckp32.exe 4284 Cklhcfle.exe 3924 Dafppp32.exe 4288 Dojqjdbl.exe 2756 Dhbebj32.exe 4240 Dakikoom.exe 3024 Doojec32.exe 3564 Dkekjdck.exe 4964 Dglkoeio.exe 1116 Ebaplnie.exe 2092 Egohdegl.exe 3168 Eklajcmc.exe 2408 Eqiibjlj.exe 4916 Enmjlojd.exe 3588 Egened32.exe 2088 Bmbnnn32.exe 3624 Dahfkimd.exe 3404 Hfamia32.exe 4176 Odifjipd.exe 1756 Pgaelcgm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jpenfp32.exe Jgmjmjnb.exe File created C:\Windows\SysWOW64\Mebncnbm.dll Pbokab32.exe File created C:\Windows\SysWOW64\Genmbb32.dll Aidcjk32.exe File created C:\Windows\SysWOW64\Mledgm32.exe Mfkkjbnn.exe File created C:\Windows\SysWOW64\Ndbhcn32.dll Nihdhl32.exe File created C:\Windows\SysWOW64\Pcbkgb32.exe Pcnalbce.exe File opened for modification C:\Windows\SysWOW64\Omlkmign.exe Ohobebig.exe File created C:\Windows\SysWOW64\Cpmbkm32.dll Faopah32.exe File created C:\Windows\SysWOW64\Egfolf32.dll Lfnmcnjn.exe File created C:\Windows\SysWOW64\Nlgbkf32.dll Bdbndjld.exe File opened for modification C:\Windows\SysWOW64\Gghdkg32.exe Gnppbapl.exe File created C:\Windows\SysWOW64\Dhbebj32.exe Dojqjdbl.exe File created C:\Windows\SysWOW64\Aagfblqi.dll Ogdofo32.exe File created C:\Windows\SysWOW64\Apqhldjp.exe Aidcjk32.exe File opened for modification C:\Windows\SysWOW64\Pmlmdd32.exe Pddhlnfg.exe File created C:\Windows\SysWOW64\Pkbjchio.exe Phaabm32.exe File created C:\Windows\SysWOW64\Qlbfnk32.exe Pkbjchio.exe File created C:\Windows\SysWOW64\Enmjlojd.exe Eqiibjlj.exe File created C:\Windows\SysWOW64\Loodqn32.exe Kffphhmj.exe File opened for modification C:\Windows\SysWOW64\Dgplai32.exe Cfglahbj.exe File created C:\Windows\SysWOW64\Nmenmgab.exe Nanmhf32.exe File created C:\Windows\SysWOW64\Cihhpm32.dll Bdkgckal.exe File created C:\Windows\SysWOW64\Dmokdgeg.dll Kngkqbgl.exe File created C:\Windows\SysWOW64\Paapjc32.dll Pmlmdd32.exe File opened for modification C:\Windows\SysWOW64\Eenfff32.exe Dndnjllg.exe File created C:\Windows\SysWOW64\Koicbp32.dll Fifhbf32.exe File created C:\Windows\SysWOW64\Dfbcek32.exe Dohkhq32.exe File created C:\Windows\SysWOW64\Emhkmcbd.exe Eeqclfaa.exe File created C:\Windows\SysWOW64\Fnacqc32.exe Fkcgdh32.exe File created C:\Windows\SysWOW64\Negaqbji.dll Mbbloc32.exe File created C:\Windows\SysWOW64\Ojkcaalp.dll Ajmljjhj.exe File created C:\Windows\SysWOW64\Dglkoeio.exe Dkekjdck.exe File created C:\Windows\SysWOW64\Kffphhmj.exe Klnkoc32.exe File created C:\Windows\SysWOW64\Ackkcmja.dll Bekmei32.exe File opened for modification C:\Windows\SysWOW64\Odjeepna.exe Onnmmipj.exe File opened for modification C:\Windows\SysWOW64\Bmbnnn32.exe Egened32.exe File opened for modification C:\Windows\SysWOW64\Lbgcch32.exe Ldccid32.exe File opened for modification C:\Windows\SysWOW64\Olgdgibf.exe Pmfhbm32.exe File created C:\Windows\SysWOW64\Fkgejncb.exe Fifhbf32.exe File created C:\Windows\SysWOW64\Mpkkgbmi.exe Lmmokgne.exe File created C:\Windows\SysWOW64\Fkedglkb.dll Liikiccg.exe File created C:\Windows\SysWOW64\Afclpk32.exe Amkhfegn.exe File created C:\Windows\SysWOW64\Cinclj32.dll Dhbebj32.exe File opened for modification C:\Windows\SysWOW64\Njkklk32.exe Nenbdd32.exe File opened for modification C:\Windows\SysWOW64\Nfihkq32.exe Mjnnkpqo.exe File created C:\Windows\SysWOW64\Bgemej32.dll Nflkbanj.exe File created C:\Windows\SysWOW64\Bodano32.exe Bekmei32.exe File opened for modification C:\Windows\SysWOW64\Ncchae32.exe Njjdho32.exe File created C:\Windows\SysWOW64\Jhdfpjee.dll Cokgonmp.exe File opened for modification C:\Windows\SysWOW64\Oloaamqf.exe Onkphi32.exe File opened for modification C:\Windows\SysWOW64\Ebdcejpk.exe Emhkmcbd.exe File created C:\Windows\SysWOW64\Qpqcncda.dll Ncjmob32.exe File created C:\Windows\SysWOW64\Beaekmic.dll Qlbfnk32.exe File created C:\Windows\SysWOW64\Ccmcaicm.exe Cckfkiep.exe File created C:\Windows\SysWOW64\Qolmplcl.dll Okpkgm32.exe File created C:\Windows\SysWOW64\Fbpbbl32.dll Lmmokgne.exe File opened for modification C:\Windows\SysWOW64\Eehime32.exe Ennqpkcm.exe File created C:\Windows\SysWOW64\Cacckp32.exe Cglbhhga.exe File created C:\Windows\SysWOW64\Hlmpoh32.dll Begcjjql.exe File created C:\Windows\SysWOW64\Ncchae32.exe Njjdho32.exe File created C:\Windows\SysWOW64\Cfmijkhj.exe Chiipg32.exe File created C:\Windows\SysWOW64\Jdbklkdg.dll Lihpdj32.exe File opened for modification C:\Windows\SysWOW64\Liofdigo.exe Lbenho32.exe File created C:\Windows\SysWOW64\Bckecf32.dll Npkmcj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Limioiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aohbbqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmfhbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eiokbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhagaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmokpglb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnealfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmenmgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pogpcghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfpfm32.dll" Ccmcaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjgemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moajmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgmfel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Heqnokaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcnalbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmbkm32.dll" Faopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjipmoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhokeolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfglpjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnbadlnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kilphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aidcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdkgckal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fqpomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohdlpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffgegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Liikiccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdapon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bekmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ooqqmoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifehfoed.dll" Emhkmcbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llggeobk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllpffkg.dll" Mlhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aoeleelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgbkf32.dll" Bdbndjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbkhpqq.dll" Qbmpjkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niihlkdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbenho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmajbnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbjhd32.dll" Pjeoablq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.cf5182eec47c297e303016391c2e1550.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpkkgbmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Meepne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klccng32.dll" Phmhgmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkedglkb.dll" Liikiccg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aebjokda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odfljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaqbdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopgipok.dll" Qemhlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnhan32.dll" Cnahmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amdiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmjai32.dll" Addabl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amkhfegn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olgdgibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcggbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appdbegc.dll" Cipemdqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cckfkiep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 436 wrote to memory of 4740 436 NEAS.cf5182eec47c297e303016391c2e1550.exe 89 PID 436 wrote to memory of 4740 436 NEAS.cf5182eec47c297e303016391c2e1550.exe 89 PID 436 wrote to memory of 4740 436 NEAS.cf5182eec47c297e303016391c2e1550.exe 89 PID 4740 wrote to memory of 3116 4740 Jgkmgk32.exe 90 PID 4740 wrote to memory of 3116 4740 Jgkmgk32.exe 90 PID 4740 wrote to memory of 3116 4740 Jgkmgk32.exe 90 PID 3116 wrote to memory of 2400 3116 Jgmjmjnb.exe 91 PID 3116 wrote to memory of 2400 3116 Jgmjmjnb.exe 91 PID 3116 wrote to memory of 2400 3116 Jgmjmjnb.exe 91 PID 2400 wrote to memory of 1440 2400 Jpenfp32.exe 92 PID 2400 wrote to memory of 1440 2400 Jpenfp32.exe 92 PID 2400 wrote to memory of 1440 2400 Jpenfp32.exe 92 PID 1440 wrote to memory of 2544 1440 Jebfng32.exe 93 PID 1440 wrote to memory of 2544 1440 Jebfng32.exe 93 PID 1440 wrote to memory of 2544 1440 Jebfng32.exe 93 PID 2544 wrote to memory of 2256 2544 Komhll32.exe 94 PID 2544 wrote to memory of 2256 2544 Komhll32.exe 94 PID 2544 wrote to memory of 2256 2544 Komhll32.exe 94 PID 2256 wrote to memory of 4924 2256 Knnhjcog.exe 95 PID 2256 wrote to memory of 4924 2256 Knnhjcog.exe 95 PID 2256 wrote to memory of 4924 2256 Knnhjcog.exe 95 PID 4924 wrote to memory of 828 4924 Knqepc32.exe 96 PID 4924 wrote to memory of 828 4924 Knqepc32.exe 96 PID 4924 wrote to memory of 828 4924 Knqepc32.exe 96 PID 828 wrote to memory of 3788 828 Kgiiiidd.exe 97 PID 828 wrote to memory of 3788 828 Kgiiiidd.exe 97 PID 828 wrote to memory of 3788 828 Kgiiiidd.exe 97 PID 3788 wrote to memory of 1792 3788 Knenkbio.exe 98 PID 3788 wrote to memory of 1792 3788 Knenkbio.exe 98 PID 3788 wrote to memory of 1792 3788 Knenkbio.exe 98 PID 1792 wrote to memory of 4856 1792 Kngkqbgl.exe 99 PID 1792 wrote to memory of 4856 1792 Kngkqbgl.exe 99 PID 1792 wrote to memory of 4856 1792 Kngkqbgl.exe 99 PID 4856 wrote to memory of 4120 4856 Lgpoihnl.exe 100 PID 4856 wrote to memory of 4120 4856 Lgpoihnl.exe 100 PID 4856 wrote to memory of 4120 4856 Lgpoihnl.exe 100 PID 4120 wrote to memory of 3056 4120 Lcgpni32.exe 101 PID 4120 wrote to memory of 3056 4120 Lcgpni32.exe 101 PID 4120 wrote to memory of 3056 4120 Lcgpni32.exe 101 PID 3056 wrote to memory of 3592 3056 Lgdidgjg.exe 102 PID 3056 wrote to memory of 3592 3056 Lgdidgjg.exe 102 PID 3056 wrote to memory of 3592 3056 Lgdidgjg.exe 102 PID 3592 wrote to memory of 1148 3592 Lqmmmmph.exe 103 PID 3592 wrote to memory of 1148 3592 Lqmmmmph.exe 103 PID 3592 wrote to memory of 1148 3592 Lqmmmmph.exe 103 PID 1148 wrote to memory of 3896 1148 Lmdnbn32.exe 104 PID 1148 wrote to memory of 3896 1148 Lmdnbn32.exe 104 PID 1148 wrote to memory of 3896 1148 Lmdnbn32.exe 104 PID 3896 wrote to memory of 3560 3896 Mcpcdg32.exe 105 PID 3896 wrote to memory of 3560 3896 Mcpcdg32.exe 105 PID 3896 wrote to memory of 3560 3896 Mcpcdg32.exe 105 PID 3560 wrote to memory of 1316 3560 Mfchlbfd.exe 107 PID 3560 wrote to memory of 1316 3560 Mfchlbfd.exe 107 PID 3560 wrote to memory of 1316 3560 Mfchlbfd.exe 107 PID 1316 wrote to memory of 4408 1316 Mokmdh32.exe 106 PID 1316 wrote to memory of 4408 1316 Mokmdh32.exe 106 PID 1316 wrote to memory of 4408 1316 Mokmdh32.exe 106 PID 4408 wrote to memory of 4972 4408 Mnmmboed.exe 108 PID 4408 wrote to memory of 4972 4408 Mnmmboed.exe 108 PID 4408 wrote to memory of 4972 4408 Mnmmboed.exe 108 PID 4972 wrote to memory of 4772 4972 Mgeakekd.exe 109 PID 4972 wrote to memory of 4772 4972 Mgeakekd.exe 109 PID 4972 wrote to memory of 4772 4972 Mgeakekd.exe 109 PID 4772 wrote to memory of 3268 4772 Njfkmphe.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.cf5182eec47c297e303016391c2e1550.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.cf5182eec47c297e303016391c2e1550.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Jebfng32.exeC:\Windows\system32\Jebfng32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Knqepc32.exeC:\Windows\system32\Knqepc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Kngkqbgl.exeC:\Windows\system32\Kngkqbgl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Lgdidgjg.exeC:\Windows\system32\Lgdidgjg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Lmdnbn32.exeC:\Windows\system32\Lmdnbn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Mgeakekd.exeC:\Windows\system32\Mgeakekd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3180 -
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe6⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Njmqnobn.exeC:\Windows\system32\Njmqnobn.exe7⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe8⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe9⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe10⤵
- Executes dropped EXE
PID:4268 -
C:\Windows\SysWOW64\Omdppiif.exeC:\Windows\system32\Omdppiif.exe11⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe13⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe14⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe15⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe16⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe17⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe18⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe20⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Bnoddcef.exeC:\Windows\system32\Bnoddcef.exe21⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe22⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe23⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe24⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Cgifbhid.exeC:\Windows\system32\Cgifbhid.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3924 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe32⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe33⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dkekjdck.exeC:\Windows\system32\Dkekjdck.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3564 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe35⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe37⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Eklajcmc.exeC:\Windows\system32\Eklajcmc.exe38⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe40⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe42⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Hfamia32.exeC:\Windows\system32\Hfamia32.exe44⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Odifjipd.exeC:\Windows\system32\Odifjipd.exe45⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe46⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe47⤵PID:4148
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Agjhbbob.exeC:\Windows\system32\Agjhbbob.exe49⤵PID:4264
-
C:\Windows\SysWOW64\Abpmpkoh.exeC:\Windows\system32\Abpmpkoh.exe50⤵PID:2536
-
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe51⤵
- Modifies registry class
PID:4768 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe52⤵PID:1212
-
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe53⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe54⤵PID:4396
-
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Ogdofo32.exeC:\Windows\system32\Ogdofo32.exe56⤵
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe57⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Oajccgmd.exeC:\Windows\system32\Oajccgmd.exe58⤵PID:1088
-
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe60⤵PID:4772
-
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe61⤵PID:3964
-
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe62⤵PID:560
-
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe63⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe64⤵PID:4480
-
C:\Windows\SysWOW64\Pdmikb32.exeC:\Windows\system32\Pdmikb32.exe65⤵PID:1128
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe66⤵PID:3528
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:3376 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe69⤵PID:4852
-
C:\Windows\SysWOW64\Jmccnk32.exeC:\Windows\system32\Jmccnk32.exe70⤵PID:1312
-
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe71⤵PID:2460
-
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe72⤵PID:4508
-
C:\Windows\SysWOW64\Jmepcj32.exeC:\Windows\system32\Jmepcj32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4996 -
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe74⤵PID:1472
-
C:\Windows\SysWOW64\Kbbhka32.exeC:\Windows\system32\Kbbhka32.exe75⤵PID:3200
-
C:\Windows\SysWOW64\Kjipmoai.exeC:\Windows\system32\Kjipmoai.exe76⤵
- Modifies registry class
PID:4284 -
C:\Windows\SysWOW64\Kilphk32.exeC:\Windows\system32\Kilphk32.exe77⤵
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\Kcbded32.exeC:\Windows\system32\Kcbded32.exe78⤵PID:2756
-
C:\Windows\SysWOW64\Kjlmbnof.exeC:\Windows\system32\Kjlmbnof.exe79⤵PID:1152
-
C:\Windows\SysWOW64\Kicfijal.exeC:\Windows\system32\Kicfijal.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe81⤵PID:1356
-
C:\Windows\SysWOW64\Kmaooihb.exeC:\Windows\system32\Kmaooihb.exe82⤵PID:2160
-
C:\Windows\SysWOW64\Lopkkdgf.exeC:\Windows\system32\Lopkkdgf.exe83⤵PID:4740
-
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe84⤵PID:2124
-
C:\Windows\SysWOW64\Lihpdj32.exeC:\Windows\system32\Lihpdj32.exe85⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Lcndab32.exeC:\Windows\system32\Lcndab32.exe86⤵PID:4856
-
C:\Windows\SysWOW64\Lmfhjhdm.exeC:\Windows\system32\Lmfhjhdm.exe87⤵PID:5032
-
C:\Windows\SysWOW64\Lfnmcnjn.exeC:\Windows\system32\Lfnmcnjn.exe88⤵
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe89⤵
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Lbenho32.exeC:\Windows\system32\Lbenho32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:3748 -
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe91⤵PID:2032
-
C:\Windows\SysWOW64\Llmbqdfb.exeC:\Windows\system32\Llmbqdfb.exe92⤵PID:5092
-
C:\Windows\SysWOW64\Lbgjmnno.exeC:\Windows\system32\Lbgjmnno.exe93⤵PID:4272
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Mpkkgbmi.exeC:\Windows\system32\Mpkkgbmi.exe95⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe96⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Enaaiifb.exeC:\Windows\system32\Enaaiifb.exe97⤵PID:1948
-
C:\Windows\SysWOW64\Kohnpoib.exeC:\Windows\system32\Kohnpoib.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Knmkak32.exeC:\Windows\system32\Knmkak32.exe99⤵PID:3024
-
C:\Windows\SysWOW64\Klnkoc32.exeC:\Windows\system32\Klnkoc32.exe100⤵
- Drops file in System32 directory
PID:3512 -
C:\Windows\SysWOW64\Kffphhmj.exeC:\Windows\system32\Kffphhmj.exe101⤵
- Drops file in System32 directory
PID:3284 -
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe102⤵PID:1408
-
C:\Windows\SysWOW64\Ldlmieaa.exeC:\Windows\system32\Ldlmieaa.exe103⤵PID:3548
-
C:\Windows\SysWOW64\Lkhbko32.exeC:\Windows\system32\Lkhbko32.exe104⤵PID:2624
-
C:\Windows\SysWOW64\Ldccid32.exeC:\Windows\system32\Ldccid32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Lbgcch32.exeC:\Windows\system32\Lbgcch32.exe106⤵PID:5004
-
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe107⤵PID:1700
-
C:\Windows\SysWOW64\Moajmk32.exeC:\Windows\system32\Moajmk32.exe108⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Mflbjejb.exeC:\Windows\system32\Mflbjejb.exe109⤵PID:4300
-
C:\Windows\SysWOW64\Nfnooe32.exeC:\Windows\system32\Nfnooe32.exe110⤵PID:4472
-
C:\Windows\SysWOW64\Npkmcj32.exeC:\Windows\system32\Npkmcj32.exe111⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Nehekq32.exeC:\Windows\system32\Nehekq32.exe112⤵PID:4892
-
C:\Windows\SysWOW64\Nlbnhkqo.exeC:\Windows\system32\Nlbnhkqo.exe113⤵PID:1284
-
C:\Windows\SysWOW64\Nblfee32.exeC:\Windows\system32\Nblfee32.exe114⤵PID:2000
-
C:\Windows\SysWOW64\Nmajbnha.exeC:\Windows\system32\Nmajbnha.exe115⤵
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Omdghmfo.exeC:\Windows\system32\Omdghmfo.exe116⤵PID:4932
-
C:\Windows\SysWOW64\Oflkqc32.exeC:\Windows\system32\Oflkqc32.exe117⤵PID:1936
-
C:\Windows\SysWOW64\Opdpih32.exeC:\Windows\system32\Opdpih32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4812 -
C:\Windows\SysWOW64\Oimdbnip.exeC:\Windows\system32\Oimdbnip.exe119⤵PID:3520
-
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Pbokab32.exeC:\Windows\system32\Pbokab32.exe121⤵
- Drops file in System32 directory
PID:4336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-