Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:18
Behavioral task
behavioral1
Sample
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe
-
Size
176KB
-
MD5
46c11c5ac8c550c05bdf14211b5fe3a0
-
SHA1
63a43f3340c8cf3b9a9388932afa45d97031840c
-
SHA256
72aae504d785449cc96d73eba4ded262c9c8459e35cbd59d509d1a83897a3369
-
SHA512
88889d55987419236f9d9355bb77ec5537c1729dacfeb276fd9660b0c0b034bc7dcb2f859722326198f6690a42f3132099414f0226c3ddec293361e65c17f7ba
-
SSDEEP
3072:xAw/IMYd5xIFgo1cjENRZ9wmAOIayGsOOJF4EISi/i4gG4npAjmA39QQIckJI:xAZMYdkFgo1nTZ9EaUn4yjK99QQd
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajgfboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikaqppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeecf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkcbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqqdjceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdlnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibadnhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnlba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facfpddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammoel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iainddpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdigkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijehdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmogpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmkfqind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behilopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidfjckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iencdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfhjfdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkakonn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkcbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmefad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcohbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bneancnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papmlmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bglghdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmipko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlbkcfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlqfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidkep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakcan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlldmimi.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1144-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x00070000000120e5-5.dat family_berbew behavioral1/memory/1144-6-0x00000000003A0000-0x00000000003DE000-memory.dmp family_berbew behavioral1/files/0x00070000000120e5-8.dat family_berbew behavioral1/files/0x00070000000120e5-9.dat family_berbew behavioral1/files/0x00070000000120e5-12.dat family_berbew behavioral1/files/0x00070000000120e5-13.dat family_berbew behavioral1/files/0x0009000000016c2b-18.dat family_berbew behavioral1/files/0x0009000000016c2b-27.dat family_berbew behavioral1/memory/2228-26-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0009000000016c2b-25.dat family_berbew behavioral1/memory/2792-40-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0009000000016c32-33.dat family_berbew behavioral1/files/0x0009000000016c32-41.dat family_berbew behavioral1/files/0x0009000000016c32-39.dat family_berbew behavioral1/files/0x0009000000016c32-36.dat family_berbew behavioral1/files/0x0009000000016c32-35.dat family_berbew behavioral1/files/0x0009000000016c2b-22.dat family_berbew behavioral1/files/0x0009000000016c2b-21.dat family_berbew behavioral1/memory/1212-20-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0008000000016d05-50.dat family_berbew behavioral1/files/0x0008000000016d05-55.dat family_berbew behavioral1/memory/2672-54-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0008000000016d05-53.dat family_berbew behavioral1/files/0x0008000000016d05-49.dat family_berbew behavioral1/files/0x0009000000016d54-66.dat family_berbew behavioral1/files/0x0009000000016d54-63.dat family_berbew behavioral1/files/0x0009000000016d54-62.dat family_berbew behavioral1/files/0x0009000000016d54-60.dat family_berbew behavioral1/memory/2792-48-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0008000000016d05-46.dat family_berbew behavioral1/files/0x0009000000016d54-67.dat family_berbew behavioral1/files/0x0006000000016d74-79.dat family_berbew behavioral1/files/0x0006000000016d74-78.dat family_berbew behavioral1/files/0x0006000000016d74-75.dat family_berbew behavioral1/files/0x0006000000016d85-84.dat family_berbew behavioral1/files/0x0006000000016d74-74.dat family_berbew behavioral1/files/0x0006000000016d74-72.dat family_berbew behavioral1/files/0x0006000000016d85-87.dat family_berbew behavioral1/files/0x0006000000016d85-86.dat family_berbew behavioral1/files/0x0006000000016d85-91.dat family_berbew behavioral1/files/0x0006000000016d85-90.dat family_berbew behavioral1/files/0x0006000000016fe7-96.dat family_berbew behavioral1/files/0x0006000000016fe7-102.dat family_berbew behavioral1/files/0x0006000000016fe7-103.dat family_berbew behavioral1/files/0x0006000000016fe7-99.dat family_berbew behavioral1/files/0x0006000000016fe7-98.dat family_berbew behavioral1/files/0x0006000000017563-114.dat family_berbew behavioral1/files/0x0006000000017563-111.dat family_berbew behavioral1/files/0x0006000000017563-110.dat family_berbew behavioral1/files/0x0006000000017563-108.dat family_berbew behavioral1/files/0x0006000000017563-115.dat family_berbew behavioral1/files/0x0005000000018697-126.dat family_berbew behavioral1/files/0x0005000000018697-127.dat family_berbew behavioral1/files/0x0005000000018697-123.dat family_berbew behavioral1/files/0x0005000000018697-122.dat family_berbew behavioral1/files/0x0005000000018697-120.dat family_berbew behavioral1/files/0x00050000000186ce-132.dat family_berbew behavioral1/files/0x00050000000186ce-138.dat family_berbew behavioral1/files/0x00050000000186ce-135.dat family_berbew behavioral1/files/0x00050000000186ce-134.dat family_berbew behavioral1/files/0x00050000000186ce-139.dat family_berbew behavioral1/files/0x0006000000018aa8-151.dat family_berbew behavioral1/files/0x0006000000018aa8-150.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1212 Akkoig32.exe 2228 Abpjjeim.exe 2792 Aodkci32.exe 2672 Bkklhjnk.exe 2856 Boidnh32.exe 2544 Bnnaoe32.exe 3044 Behilopf.exe 772 Bejfao32.exe 776 Cjgoje32.exe 1504 Cfnoogbo.exe 2868 Cpfdhl32.exe 2804 Cpiqmlfm.exe 1584 Cmmagpef.exe 2076 Cfeepelg.exe 1768 Dacpkc32.exe 1348 Dklddhka.exe 1236 Dgbeiiqe.exe 2136 Dahifbpk.exe 1792 Dbifnj32.exe 1372 Epmfgo32.exe 2436 Eggndi32.exe 1652 Eiekpd32.exe 1964 Ehkhaqpk.exe 1824 Elfcbo32.exe 792 Eoepnk32.exe 1472 Eijdkcgn.exe 2336 Eklqcl32.exe 1748 Ecbhdi32.exe 3024 Eeaepd32.exe 1700 Elkmmodo.exe 2044 Enlidg32.exe 2844 Edfbaabj.exe 2364 Fgdnnl32.exe 2696 Fkpjnkig.exe 2700 Fajbke32.exe 2704 Fdiogq32.exe 2824 Fkbgckgd.exe 2572 Famope32.exe 2828 Fkecij32.exe 324 Fncpef32.exe 700 Ffodjh32.exe 564 Fnflke32.exe 2896 Fqdiga32.exe 808 Ffaaoh32.exe 844 Fqfemqod.exe 320 Gfcnegnk.exe 1928 Gkpfmnlb.exe 2412 Gcgnnlle.exe 1108 Ghdgfbkl.exe 2984 Gonocmbi.exe 1480 Gfhgpg32.exe 1164 Ggicgopd.exe 708 Goplilpf.exe 3000 Gbohehoj.exe 1880 Gdmdacnn.exe 612 Ggkqmoma.exe 1800 Gneijien.exe 2756 Gcbabpcf.exe 556 Hkiicmdh.exe 2168 Hnheohcl.exe 1580 Hqfaldbo.exe 2004 Hfcjdkpg.exe 2760 Hnjbeh32.exe 2740 Hahnac32.exe -
Loads dropped DLL 64 IoCs
pid Process 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 1212 Akkoig32.exe 1212 Akkoig32.exe 2228 Abpjjeim.exe 2228 Abpjjeim.exe 2792 Aodkci32.exe 2792 Aodkci32.exe 2672 Bkklhjnk.exe 2672 Bkklhjnk.exe 2856 Boidnh32.exe 2856 Boidnh32.exe 2544 Bnnaoe32.exe 2544 Bnnaoe32.exe 3044 Behilopf.exe 3044 Behilopf.exe 772 Bejfao32.exe 772 Bejfao32.exe 776 Cjgoje32.exe 776 Cjgoje32.exe 1504 Cfnoogbo.exe 1504 Cfnoogbo.exe 2868 Cpfdhl32.exe 2868 Cpfdhl32.exe 2804 Cpiqmlfm.exe 2804 Cpiqmlfm.exe 1584 Cmmagpef.exe 1584 Cmmagpef.exe 2076 Cfeepelg.exe 2076 Cfeepelg.exe 1768 Dacpkc32.exe 1768 Dacpkc32.exe 1348 Dklddhka.exe 1348 Dklddhka.exe 1236 Dgbeiiqe.exe 1236 Dgbeiiqe.exe 2136 Dahifbpk.exe 2136 Dahifbpk.exe 1792 Dbifnj32.exe 1792 Dbifnj32.exe 1372 Epmfgo32.exe 1372 Epmfgo32.exe 2436 Eggndi32.exe 2436 Eggndi32.exe 1652 Eiekpd32.exe 1652 Eiekpd32.exe 1964 Ehkhaqpk.exe 1964 Ehkhaqpk.exe 1824 Elfcbo32.exe 1824 Elfcbo32.exe 792 Eoepnk32.exe 792 Eoepnk32.exe 1472 Eijdkcgn.exe 1472 Eijdkcgn.exe 2336 Eklqcl32.exe 2336 Eklqcl32.exe 1748 Ecbhdi32.exe 1748 Ecbhdi32.exe 3024 Eeaepd32.exe 3024 Eeaepd32.exe 1700 Elkmmodo.exe 1700 Elkmmodo.exe 2044 Enlidg32.exe 2044 Enlidg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ollopmbl.dll Llgjaeoj.exe File created C:\Windows\SysWOW64\Qmpebb32.dll Klhbdclg.exe File created C:\Windows\SysWOW64\Dbnddjom.dll Enenef32.exe File created C:\Windows\SysWOW64\Pnbogaqb.dll Lhklha32.exe File opened for modification C:\Windows\SysWOW64\Jpeafo32.exe Jhniebne.exe File opened for modification C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File created C:\Windows\SysWOW64\Clkicbfa.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Pjeimkch.dll Ofdeeb32.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe Lmckeidj.exe File created C:\Windows\SysWOW64\Olglagcg.dll Bodhlane.exe File opened for modification C:\Windows\SysWOW64\Efdohq32.exe Epkgkfmd.exe File opened for modification C:\Windows\SysWOW64\Akkoig32.exe NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe File created C:\Windows\SysWOW64\Cpfdhl32.exe Cfnoogbo.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Cpfdhl32.exe File opened for modification C:\Windows\SysWOW64\Kcgphp32.exe Kpicle32.exe File created C:\Windows\SysWOW64\Olgpff32.exe Oemhjlha.exe File opened for modification C:\Windows\SysWOW64\Cgdflb32.exe Cdejpg32.exe File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Lgqkbb32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Oadkej32.exe Njjcip32.exe File created C:\Windows\SysWOW64\Ieileaop.dll Hmkiobge.exe File opened for modification C:\Windows\SysWOW64\Hidfjckg.exe Hlqfqo32.exe File opened for modification C:\Windows\SysWOW64\Npffaq32.exe Nmgjee32.exe File created C:\Windows\SysWOW64\Kjoahnho.dll Jampjian.exe File created C:\Windows\SysWOW64\Oabkom32.exe Olebgfao.exe File opened for modification C:\Windows\SysWOW64\Klhbdclg.exe Kenjgi32.exe File opened for modification C:\Windows\SysWOW64\Obnbpb32.exe Omqjgl32.exe File opened for modification C:\Windows\SysWOW64\Bkjpncii.exe Bcbhmehg.exe File created C:\Windows\SysWOW64\Onpoob32.dll Gpiffngk.exe File opened for modification C:\Windows\SysWOW64\Eeaepd32.exe Ecbhdi32.exe File created C:\Windows\SysWOW64\Mcqombic.exe Mmgfqh32.exe File opened for modification C:\Windows\SysWOW64\Bimbql32.exe Bafkookd.exe File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Gcjiedde.dll Oakcan32.exe File created C:\Windows\SysWOW64\Dhaboi32.exe Dohnfc32.exe File created C:\Windows\SysWOW64\Dklddhka.exe Dacpkc32.exe File opened for modification C:\Windows\SysWOW64\Afbnec32.exe Ankedf32.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Ndnplk32.exe File created C:\Windows\SysWOW64\Eelinm32.exe Ebnlba32.exe File created C:\Windows\SysWOW64\Jefpeh32.exe Jbhcim32.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll Kffldlne.exe File created C:\Windows\SysWOW64\Bakaaepk.exe Bihgmdih.exe File created C:\Windows\SysWOW64\Akjfhdka.exe Acbnggjo.exe File created C:\Windows\SysWOW64\Nakahn32.dll Hmiljb32.exe File created C:\Windows\SysWOW64\Jhniebne.exe Jlghpa32.exe File opened for modification C:\Windows\SysWOW64\Jkobgm32.exe Jjneoeeh.exe File opened for modification C:\Windows\SysWOW64\Bgichoqj.exe Boakgapg.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mobfgdcl.exe File opened for modification C:\Windows\SysWOW64\Epipql32.exe Ejohdbok.exe File created C:\Windows\SysWOW64\Fqdiga32.exe Fnflke32.exe File opened for modification C:\Windows\SysWOW64\Lonpma32.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Hlilhb32.dll Codeih32.exe File created C:\Windows\SysWOW64\Lfhkok32.dll Pdjpmi32.exe File opened for modification C:\Windows\SysWOW64\Pjhaec32.exe Papmlmbp.exe File opened for modification C:\Windows\SysWOW64\Bcjhig32.exe Qoopie32.exe File opened for modification C:\Windows\SysWOW64\Abhnlqlf.exe Pmimpf32.exe File created C:\Windows\SysWOW64\Edfbaabj.exe Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Nkjdcp32.exe File created C:\Windows\SysWOW64\Ammoel32.exe Afcghbgp.exe File created C:\Windows\SysWOW64\Phkdfgmp.dll Ojakdd32.exe File created C:\Windows\SysWOW64\Ldingm32.dll Ibmhjc32.exe File created C:\Windows\SysWOW64\Kgnbnpkp.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Lnjeilhc.dll Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Dajgfboj.exe Ckpoih32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfpqgco.dll" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgdlnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglghdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmlmhlo.dll" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcjoci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhkhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elebllmi.dll" Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncqodedk.dll" Ekpkhkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjfdpckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hccbnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccamabgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljgkom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdipfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnnepij.dll" Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjoacao.dll" Nlmffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onhlmh32.dll" Eeaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Djafaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikfklni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blcokf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll" Ebnmpemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pijgbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokold32.dll" Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll" Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojeomee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miiofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgglq32.dll" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmllmn32.dll" Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngnjmjh.dll" Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfjp32.dll" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmeeene.dll" Gcchgini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbmmbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfdaid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkgjqib.dll" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngealejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nciija32.dll" Hengep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjogidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abhnlqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddgejcp.dll" Mmgfqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqfdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjneoeeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpngmb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 1212 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 28 PID 1144 wrote to memory of 1212 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 28 PID 1144 wrote to memory of 1212 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 28 PID 1144 wrote to memory of 1212 1144 NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe 28 PID 1212 wrote to memory of 2228 1212 Akkoig32.exe 29 PID 1212 wrote to memory of 2228 1212 Akkoig32.exe 29 PID 1212 wrote to memory of 2228 1212 Akkoig32.exe 29 PID 1212 wrote to memory of 2228 1212 Akkoig32.exe 29 PID 2228 wrote to memory of 2792 2228 Abpjjeim.exe 30 PID 2228 wrote to memory of 2792 2228 Abpjjeim.exe 30 PID 2228 wrote to memory of 2792 2228 Abpjjeim.exe 30 PID 2228 wrote to memory of 2792 2228 Abpjjeim.exe 30 PID 2792 wrote to memory of 2672 2792 Aodkci32.exe 31 PID 2792 wrote to memory of 2672 2792 Aodkci32.exe 31 PID 2792 wrote to memory of 2672 2792 Aodkci32.exe 31 PID 2792 wrote to memory of 2672 2792 Aodkci32.exe 31 PID 2672 wrote to memory of 2856 2672 Bkklhjnk.exe 32 PID 2672 wrote to memory of 2856 2672 Bkklhjnk.exe 32 PID 2672 wrote to memory of 2856 2672 Bkklhjnk.exe 32 PID 2672 wrote to memory of 2856 2672 Bkklhjnk.exe 32 PID 2856 wrote to memory of 2544 2856 Boidnh32.exe 33 PID 2856 wrote to memory of 2544 2856 Boidnh32.exe 33 PID 2856 wrote to memory of 2544 2856 Boidnh32.exe 33 PID 2856 wrote to memory of 2544 2856 Boidnh32.exe 33 PID 2544 wrote to memory of 3044 2544 Bnnaoe32.exe 34 PID 2544 wrote to memory of 3044 2544 Bnnaoe32.exe 34 PID 2544 wrote to memory of 3044 2544 Bnnaoe32.exe 34 PID 2544 wrote to memory of 3044 2544 Bnnaoe32.exe 34 PID 3044 wrote to memory of 772 3044 Behilopf.exe 35 PID 3044 wrote to memory of 772 3044 Behilopf.exe 35 PID 3044 wrote to memory of 772 3044 Behilopf.exe 35 PID 3044 wrote to memory of 772 3044 Behilopf.exe 35 PID 772 wrote to memory of 776 772 Bejfao32.exe 36 PID 772 wrote to memory of 776 772 Bejfao32.exe 36 PID 772 wrote to memory of 776 772 Bejfao32.exe 36 PID 772 wrote to memory of 776 772 Bejfao32.exe 36 PID 776 wrote to memory of 1504 776 Cjgoje32.exe 37 PID 776 wrote to memory of 1504 776 Cjgoje32.exe 37 PID 776 wrote to memory of 1504 776 Cjgoje32.exe 37 PID 776 wrote to memory of 1504 776 Cjgoje32.exe 37 PID 1504 wrote to memory of 2868 1504 Cfnoogbo.exe 38 PID 1504 wrote to memory of 2868 1504 Cfnoogbo.exe 38 PID 1504 wrote to memory of 2868 1504 Cfnoogbo.exe 38 PID 1504 wrote to memory of 2868 1504 Cfnoogbo.exe 38 PID 2868 wrote to memory of 2804 2868 Cpfdhl32.exe 39 PID 2868 wrote to memory of 2804 2868 Cpfdhl32.exe 39 PID 2868 wrote to memory of 2804 2868 Cpfdhl32.exe 39 PID 2868 wrote to memory of 2804 2868 Cpfdhl32.exe 39 PID 2804 wrote to memory of 1584 2804 Cpiqmlfm.exe 40 PID 2804 wrote to memory of 1584 2804 Cpiqmlfm.exe 40 PID 2804 wrote to memory of 1584 2804 Cpiqmlfm.exe 40 PID 2804 wrote to memory of 1584 2804 Cpiqmlfm.exe 40 PID 1584 wrote to memory of 2076 1584 Cmmagpef.exe 41 PID 1584 wrote to memory of 2076 1584 Cmmagpef.exe 41 PID 1584 wrote to memory of 2076 1584 Cmmagpef.exe 41 PID 1584 wrote to memory of 2076 1584 Cmmagpef.exe 41 PID 2076 wrote to memory of 1768 2076 Cfeepelg.exe 42 PID 2076 wrote to memory of 1768 2076 Cfeepelg.exe 42 PID 2076 wrote to memory of 1768 2076 Cfeepelg.exe 42 PID 2076 wrote to memory of 1768 2076 Cfeepelg.exe 42 PID 1768 wrote to memory of 1348 1768 Dacpkc32.exe 43 PID 1768 wrote to memory of 1348 1768 Dacpkc32.exe 43 PID 1768 wrote to memory of 1348 1768 Dacpkc32.exe 43 PID 1768 wrote to memory of 1348 1768 Dacpkc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.46c11c5ac8c550c05bdf14211b5fe3a0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe33⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe34⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe35⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe36⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe37⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe38⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe39⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe40⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe42⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe44⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe45⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe46⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe48⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe49⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe50⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe51⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe52⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe53⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe54⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe56⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe57⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe58⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe59⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe61⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe62⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe63⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe64⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe65⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe66⤵PID:2812
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe67⤵PID:1244
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe68⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe69⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe71⤵PID:992
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe73⤵PID:2916
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe75⤵PID:2292
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe76⤵PID:2088
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe77⤵PID:1728
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe79⤵PID:1740
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe80⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe81⤵PID:544
-
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe82⤵PID:1856
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe83⤵PID:2072
-
C:\Windows\SysWOW64\Jampjian.exeC:\Windows\system32\Jampjian.exe84⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe85⤵PID:2456
-
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe86⤵PID:888
-
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe87⤵PID:3016
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe89⤵PID:2420
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe90⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe91⤵PID:2808
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe92⤵PID:2708
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe93⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe94⤵PID:1260
-
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe95⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe96⤵PID:1760
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe97⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe98⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe99⤵PID:1500
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe100⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe101⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe102⤵PID:1076
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe104⤵PID:2224
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe105⤵PID:1980
-
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe106⤵PID:2288
-
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe107⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe108⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe109⤵PID:2064
-
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe110⤵PID:2684
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe111⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe112⤵PID:2560
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe114⤵PID:1324
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe115⤵PID:1764
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe116⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe117⤵PID:1636
-
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe118⤵PID:1644
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe119⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe120⤵PID:784
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe121⤵
- Drops file in System32 directory
PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-