Analysis
-
max time kernel
148s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 17:53
Behavioral task
behavioral1
Sample
NEAS.c8bc2690370736f45bfad838aca2afd2.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c8bc2690370736f45bfad838aca2afd2.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.c8bc2690370736f45bfad838aca2afd2.exe
-
Size
255KB
-
MD5
c8bc2690370736f45bfad838aca2afd2
-
SHA1
89c00c36532c3b0654955286175c1fc0676bd80b
-
SHA256
2e19fa631804b66b075b16232d8fbccdd7aca0c64264c87698fa39ab0a9bd585
-
SHA512
7bf873ab866e15ace9344a934479da19f32df7bc4ea5e92e2d6b9b943da3511ea656ad4843a031904cca4e454c3f6f1a12ceafcd126db7dd6c452bc7afa0f271
-
SSDEEP
3072:sHoAFQeTdMegs3HZmMDw8asCHNhMXi6Y0HYSx9m9jqLsFmsdYXmAMS3KUUibN8oV:V3eZmMD2xUS6UJjwszeXmDZUH8aiGaEP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahedjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdaojbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbaafocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmenhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmalgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifcqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhpjaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peandcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpdhifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbnjgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdaoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkjocjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoohekal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhqjen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjngej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfckodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojnql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abdbflnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafjfokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcqdidim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldhgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mliibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moahdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcdcjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhimji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mejmmqpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggeokoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahngomkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahobdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkpjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidkmojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0008000000012027-5.dat family_berbew behavioral1/files/0x0008000000012027-8.dat family_berbew behavioral1/files/0x0008000000012027-12.dat family_berbew behavioral1/files/0x0008000000012027-9.dat family_berbew behavioral1/files/0x0008000000012027-13.dat family_berbew behavioral1/files/0x0033000000014bfe-22.dat family_berbew behavioral1/files/0x0033000000014bfe-21.dat family_berbew behavioral1/files/0x0033000000014bfe-18.dat family_berbew behavioral1/files/0x0033000000014bfe-26.dat family_berbew behavioral1/files/0x0033000000014bfe-27.dat family_berbew behavioral1/files/0x0007000000018b8c-32.dat family_berbew behavioral1/files/0x0007000000018b8c-35.dat family_berbew behavioral1/files/0x0007000000018b8c-34.dat family_berbew behavioral1/files/0x0007000000018b8c-40.dat family_berbew behavioral1/files/0x0007000000018b8c-39.dat family_berbew behavioral1/files/0x0007000000018bc0-46.dat family_berbew behavioral1/files/0x0007000000018bc0-53.dat family_berbew behavioral1/files/0x0007000000018bc0-50.dat family_berbew behavioral1/files/0x0007000000018bc0-49.dat family_berbew behavioral1/files/0x0007000000018bc0-54.dat family_berbew behavioral1/files/0x00060000000193b9-59.dat family_berbew behavioral1/files/0x00060000000193b9-64.dat family_berbew behavioral1/files/0x00060000000193b9-67.dat family_berbew behavioral1/files/0x00060000000193b9-66.dat family_berbew behavioral1/files/0x00060000000193b9-61.dat family_berbew behavioral1/files/0x0005000000019472-73.dat family_berbew behavioral1/files/0x0005000000019472-77.dat family_berbew behavioral1/files/0x0005000000019472-80.dat family_berbew behavioral1/files/0x0005000000019472-82.dat family_berbew behavioral1/files/0x0005000000019472-76.dat family_berbew behavioral1/files/0x0033000000017562-93.dat family_berbew behavioral1/files/0x0033000000017562-95.dat family_berbew behavioral1/files/0x0005000000019497-101.dat family_berbew behavioral1/files/0x0033000000017562-87.dat family_berbew behavioral1/files/0x0033000000017562-90.dat family_berbew behavioral1/files/0x0033000000017562-89.dat family_berbew behavioral1/files/0x0005000000019497-104.dat family_berbew behavioral1/files/0x0005000000019497-108.dat family_berbew behavioral1/files/0x0005000000019497-103.dat family_berbew behavioral1/files/0x0005000000019497-107.dat family_berbew behavioral1/files/0x000500000001949d-114.dat family_berbew behavioral1/files/0x000500000001949d-121.dat family_berbew behavioral1/files/0x000500000001949d-123.dat family_berbew behavioral1/files/0x000500000001949d-118.dat family_berbew behavioral1/files/0x000500000001949d-117.dat family_berbew behavioral1/files/0x00050000000194d2-128.dat family_berbew behavioral1/files/0x00050000000194d2-135.dat family_berbew behavioral1/files/0x00050000000194d2-132.dat family_berbew behavioral1/files/0x00050000000194d2-131.dat family_berbew behavioral1/files/0x00050000000194d2-136.dat family_berbew behavioral1/files/0x0005000000019522-150.dat family_berbew behavioral1/files/0x0005000000019522-142.dat family_berbew behavioral1/files/0x0005000000019522-148.dat family_berbew behavioral1/files/0x0005000000019522-145.dat family_berbew behavioral1/files/0x0005000000019522-144.dat family_berbew behavioral1/files/0x0005000000019589-155.dat family_berbew behavioral1/files/0x0005000000019589-162.dat family_berbew behavioral1/files/0x0005000000019589-159.dat family_berbew behavioral1/files/0x0005000000019589-158.dat family_berbew behavioral1/files/0x0005000000019589-163.dat family_berbew behavioral1/files/0x00050000000195b6-169.dat family_berbew behavioral1/files/0x00050000000195b6-171.dat family_berbew behavioral1/files/0x00050000000195b6-172.dat family_berbew behavioral1/files/0x00050000000195b6-175.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1200 Nidkmojn.exe 2636 Npgihn32.exe 2640 Odebolpe.exe 3016 Ocjophem.exe 2520 Ohidmoaa.exe 2324 Oihqgbhd.exe 580 Phnnho32.exe 1528 Pnjfae32.exe 2864 Phbgcnig.exe 3012 Pdihiook.exe 1668 Qjhmfekp.exe 1964 Qglmpi32.exe 1860 Akncimmh.exe 1592 Amnocpdk.exe 1744 Aoohekal.exe 2276 Aigmnqgm.exe 1576 Akhfoldn.exe 1656 Bepjha32.exe 1540 Bcegin32.exe 1932 Bmnlbcfg.exe 296 Bmphhc32.exe 1992 Bekmle32.exe 920 Bbonei32.exe 2332 Clgbno32.exe 2224 Cohkpj32.exe 1468 Cdecha32.exe 2472 Cedpbd32.exe 2184 Comdkipe.exe 2800 Cifelgmd.exe 2632 Bcjcme32.exe 2880 Bmbgfkje.exe 2584 Coacbfii.exe 872 Dnjoco32.exe 2856 Kmimcbja.exe 2868 Lcohahpn.exe 1496 Lemdncoa.exe 804 Lofifi32.exe 1968 Ldbaopdj.exe 2608 Lklikj32.exe 1596 Lafahdcc.exe 2108 Mhqjen32.exe 1532 Mojbaham.exe 1252 Mdgkjopd.exe 2196 Mkacfiga.exe 2060 Mpnkopeh.exe 1784 Mghckj32.exe 1788 Mdldeo32.exe 956 Mfmqmgbm.exe 1816 Mndhnd32.exe 3036 Mgmmfjip.exe 1316 Nhpfdaml.exe 1720 Nojnql32.exe 2444 Nhbciaki.exe 2436 Nnokahip.exe 3000 Nghpjn32.exe 1036 Nqpdcc32.exe 2804 Nbpqmfmd.exe 2924 Ogliemkk.exe 2624 Oqennbbl.exe 2696 Occjjnap.exe 2656 Oqgjdbpi.exe 2528 Ogabql32.exe 2548 Oibohdmd.exe 3004 Oplgeoea.exe -
Loads dropped DLL 64 IoCs
pid Process 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 1200 Nidkmojn.exe 1200 Nidkmojn.exe 2636 Npgihn32.exe 2636 Npgihn32.exe 2640 Odebolpe.exe 2640 Odebolpe.exe 3016 Ocjophem.exe 3016 Ocjophem.exe 2520 Ohidmoaa.exe 2520 Ohidmoaa.exe 2324 Oihqgbhd.exe 2324 Oihqgbhd.exe 580 Phnnho32.exe 580 Phnnho32.exe 1528 Pnjfae32.exe 1528 Pnjfae32.exe 2864 Phbgcnig.exe 2864 Phbgcnig.exe 3012 Pdihiook.exe 3012 Pdihiook.exe 1668 Qjhmfekp.exe 1668 Qjhmfekp.exe 1964 Qglmpi32.exe 1964 Qglmpi32.exe 1860 Akncimmh.exe 1860 Akncimmh.exe 1592 Amnocpdk.exe 1592 Amnocpdk.exe 1744 Aoohekal.exe 1744 Aoohekal.exe 2276 Aigmnqgm.exe 2276 Aigmnqgm.exe 1576 Akhfoldn.exe 1576 Akhfoldn.exe 1656 Bepjha32.exe 1656 Bepjha32.exe 1540 Bcegin32.exe 1540 Bcegin32.exe 1932 Bmnlbcfg.exe 1932 Bmnlbcfg.exe 296 Bmphhc32.exe 296 Bmphhc32.exe 1992 Bekmle32.exe 1992 Bekmle32.exe 920 Bbonei32.exe 920 Bbonei32.exe 2332 Clgbno32.exe 2332 Clgbno32.exe 2224 Cohkpj32.exe 2224 Cohkpj32.exe 1468 Cdecha32.exe 1468 Cdecha32.exe 2472 Cedpbd32.exe 2472 Cedpbd32.exe 2184 Comdkipe.exe 2184 Comdkipe.exe 2800 Cifelgmd.exe 2800 Cifelgmd.exe 2632 Bcjcme32.exe 2632 Bcjcme32.exe 2880 Bmbgfkje.exe 2880 Bmbgfkje.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hoegoqng.exe Hikobfgj.exe File created C:\Windows\SysWOW64\Eghenfkp.dll Bfieec32.exe File created C:\Windows\SysWOW64\Cohkpj32.exe Clgbno32.exe File created C:\Windows\SysWOW64\Annjfl32.dll Kmimcbja.exe File created C:\Windows\SysWOW64\Mkacfiga.exe Mdgkjopd.exe File created C:\Windows\SysWOW64\Neplhe32.dll Plpqim32.exe File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Paafmp32.exe File created C:\Windows\SysWOW64\Fpfkhbon.exe Fcbjon32.exe File created C:\Windows\SysWOW64\Cpmbla32.dll Dpmlcpdm.exe File opened for modification C:\Windows\SysWOW64\Fcbjon32.exe Eaangfjf.exe File created C:\Windows\SysWOW64\Ijmdql32.exe Ifahpnfl.exe File created C:\Windows\SysWOW64\Jmkgnjmo.dll Pdihiook.exe File created C:\Windows\SysWOW64\Ljllgmcl.dll Oqgjdbpi.exe File created C:\Windows\SysWOW64\Efkcnl32.dll Qanmcdlm.exe File created C:\Windows\SysWOW64\Bfcnfh32.exe Bqffna32.exe File created C:\Windows\SysWOW64\Nghpjn32.exe Nnokahip.exe File created C:\Windows\SysWOW64\Cnipak32.exe Chlgid32.exe File created C:\Windows\SysWOW64\Dgoobg32.exe Beogaenl.exe File created C:\Windows\SysWOW64\Hefqbobh.dll Qjgjpi32.exe File created C:\Windows\SysWOW64\Nmndlmhe.dll Lafahdcc.exe File created C:\Windows\SysWOW64\Cfafhc32.dll Abdbflnf.exe File opened for modification C:\Windows\SysWOW64\Kihpmnbb.exe Kmaphmln.exe File opened for modification C:\Windows\SysWOW64\Mneaacno.exe Mkgeehnl.exe File created C:\Windows\SysWOW64\Hefibg32.exe Hkndiabh.exe File opened for modification C:\Windows\SysWOW64\Cconcjae.exe Cnbfkccn.exe File created C:\Windows\SysWOW64\Qglmpi32.exe Qjhmfekp.exe File opened for modification C:\Windows\SysWOW64\Lofifi32.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Pmpdmfff.exe Phcleoho.exe File created C:\Windows\SysWOW64\Fgqcel32.exe Fpfkhbon.exe File created C:\Windows\SysWOW64\Obamebfc.exe Onfadc32.exe File created C:\Windows\SysWOW64\Bmphhc32.exe Bmnlbcfg.exe File opened for modification C:\Windows\SysWOW64\Mkacfiga.exe Mdgkjopd.exe File created C:\Windows\SysWOW64\Lbbnjgik.exe Lmeebpkd.exe File created C:\Windows\SysWOW64\Ogpaem32.dll Nccmng32.exe File opened for modification C:\Windows\SysWOW64\Kbbakc32.exe Klhioioc.exe File opened for modification C:\Windows\SysWOW64\Kplfmfmf.exe Jbooen32.exe File created C:\Windows\SysWOW64\Nfhpjaba.exe Ncjcnfcn.exe File opened for modification C:\Windows\SysWOW64\Dgoobg32.exe Beogaenl.exe File opened for modification C:\Windows\SysWOW64\Ggppdpif.exe Gpfggeai.exe File opened for modification C:\Windows\SysWOW64\Pcbookpp.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Abnopj32.exe Aifjgdkj.exe File created C:\Windows\SysWOW64\Dnkcpohn.dll Ejdaoa32.exe File created C:\Windows\SysWOW64\Mnpkkdjl.dll Adhohapp.exe File created C:\Windows\SysWOW64\Nnhkggli.dll Cihqbb32.exe File created C:\Windows\SysWOW64\Hpamlo32.dll Nfhpjaba.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Piohgbng.exe File created C:\Windows\SysWOW64\Dkmghe32.exe Djmknb32.exe File opened for modification C:\Windows\SysWOW64\Ngcbie32.exe Nqijmkfm.exe File opened for modification C:\Windows\SysWOW64\Occjjnap.exe Oqennbbl.exe File opened for modification C:\Windows\SysWOW64\Clefdcog.exe Cdnncfoe.exe File created C:\Windows\SysWOW64\Dofohkkf.dll Kihpmnbb.exe File opened for modification C:\Windows\SysWOW64\Klhioioc.exe Keoabo32.exe File created C:\Windows\SysWOW64\Lbpjpn32.dll Aoohekal.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bcjcme32.exe File created C:\Windows\SysWOW64\Ibhieo32.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Bplmhi32.dll Lpbhmiji.exe File created C:\Windows\SysWOW64\Dfgdpj32.exe Dpmlcpdm.exe File opened for modification C:\Windows\SysWOW64\Bjembh32.exe Blqmid32.exe File opened for modification C:\Windows\SysWOW64\Cgadja32.exe Cnipak32.exe File created C:\Windows\SysWOW64\Macjgadf.exe Meljbqna.exe File created C:\Windows\SysWOW64\Cnfnhaca.dll Nggipg32.exe File created C:\Windows\SysWOW64\Clgbno32.exe Bbonei32.exe File created C:\Windows\SysWOW64\Nckpfbjj.dll Blqmid32.exe File created C:\Windows\SysWOW64\Mafick32.dll Nobndj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID NEAS.c8bc2690370736f45bfad838aca2afd2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picanc32.dll" Bbonei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmgbbeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifijkq32.dll" Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahngomkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cghmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocpbal32.dll" Mojbaham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nojnql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjck32.dll" Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplped32.dll" Djemfibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckamihfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlfg32.dll" Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmmoqep.dll" Jehbfjia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogene32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhcmc32.dll" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnkopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmenhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difplf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaoblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhpjehm.dll" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Degqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpblmp32.dll" Mdldeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefqbobh.dll" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbndqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegdad32.dll" Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcipgdao.dll" Lklikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphod32.dll" Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmfaj32.dll" Omphocck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhohapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphjan32.dll" Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohaaaf.dll" Abnopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiledbch.dll" Ilnqhddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feembf32.dll" Nhbciaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnokahip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbomli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgdpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhac32.dll" Ckamihfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nfglfdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbgglq32.dll" Cconcjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmphhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkdckff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdnipal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1200 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 28 PID 2840 wrote to memory of 1200 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 28 PID 2840 wrote to memory of 1200 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 28 PID 2840 wrote to memory of 1200 2840 NEAS.c8bc2690370736f45bfad838aca2afd2.exe 28 PID 1200 wrote to memory of 2636 1200 Nidkmojn.exe 29 PID 1200 wrote to memory of 2636 1200 Nidkmojn.exe 29 PID 1200 wrote to memory of 2636 1200 Nidkmojn.exe 29 PID 1200 wrote to memory of 2636 1200 Nidkmojn.exe 29 PID 2636 wrote to memory of 2640 2636 Npgihn32.exe 30 PID 2636 wrote to memory of 2640 2636 Npgihn32.exe 30 PID 2636 wrote to memory of 2640 2636 Npgihn32.exe 30 PID 2636 wrote to memory of 2640 2636 Npgihn32.exe 30 PID 2640 wrote to memory of 3016 2640 Odebolpe.exe 31 PID 2640 wrote to memory of 3016 2640 Odebolpe.exe 31 PID 2640 wrote to memory of 3016 2640 Odebolpe.exe 31 PID 2640 wrote to memory of 3016 2640 Odebolpe.exe 31 PID 3016 wrote to memory of 2520 3016 Ocjophem.exe 32 PID 3016 wrote to memory of 2520 3016 Ocjophem.exe 32 PID 3016 wrote to memory of 2520 3016 Ocjophem.exe 32 PID 3016 wrote to memory of 2520 3016 Ocjophem.exe 32 PID 2520 wrote to memory of 2324 2520 Ohidmoaa.exe 33 PID 2520 wrote to memory of 2324 2520 Ohidmoaa.exe 33 PID 2520 wrote to memory of 2324 2520 Ohidmoaa.exe 33 PID 2520 wrote to memory of 2324 2520 Ohidmoaa.exe 33 PID 2324 wrote to memory of 580 2324 Oihqgbhd.exe 34 PID 2324 wrote to memory of 580 2324 Oihqgbhd.exe 34 PID 2324 wrote to memory of 580 2324 Oihqgbhd.exe 34 PID 2324 wrote to memory of 580 2324 Oihqgbhd.exe 34 PID 580 wrote to memory of 1528 580 Phnnho32.exe 35 PID 580 wrote to memory of 1528 580 Phnnho32.exe 35 PID 580 wrote to memory of 1528 580 Phnnho32.exe 35 PID 580 wrote to memory of 1528 580 Phnnho32.exe 35 PID 1528 wrote to memory of 2864 1528 Pnjfae32.exe 36 PID 1528 wrote to memory of 2864 1528 Pnjfae32.exe 36 PID 1528 wrote to memory of 2864 1528 Pnjfae32.exe 36 PID 1528 wrote to memory of 2864 1528 Pnjfae32.exe 36 PID 2864 wrote to memory of 3012 2864 Phbgcnig.exe 37 PID 2864 wrote to memory of 3012 2864 Phbgcnig.exe 37 PID 2864 wrote to memory of 3012 2864 Phbgcnig.exe 37 PID 2864 wrote to memory of 3012 2864 Phbgcnig.exe 37 PID 3012 wrote to memory of 1668 3012 Pdihiook.exe 38 PID 3012 wrote to memory of 1668 3012 Pdihiook.exe 38 PID 3012 wrote to memory of 1668 3012 Pdihiook.exe 38 PID 3012 wrote to memory of 1668 3012 Pdihiook.exe 38 PID 1668 wrote to memory of 1964 1668 Qjhmfekp.exe 39 PID 1668 wrote to memory of 1964 1668 Qjhmfekp.exe 39 PID 1668 wrote to memory of 1964 1668 Qjhmfekp.exe 39 PID 1668 wrote to memory of 1964 1668 Qjhmfekp.exe 39 PID 1964 wrote to memory of 1860 1964 Qglmpi32.exe 40 PID 1964 wrote to memory of 1860 1964 Qglmpi32.exe 40 PID 1964 wrote to memory of 1860 1964 Qglmpi32.exe 40 PID 1964 wrote to memory of 1860 1964 Qglmpi32.exe 40 PID 1860 wrote to memory of 1592 1860 Akncimmh.exe 41 PID 1860 wrote to memory of 1592 1860 Akncimmh.exe 41 PID 1860 wrote to memory of 1592 1860 Akncimmh.exe 41 PID 1860 wrote to memory of 1592 1860 Akncimmh.exe 41 PID 1592 wrote to memory of 1744 1592 Amnocpdk.exe 42 PID 1592 wrote to memory of 1744 1592 Amnocpdk.exe 42 PID 1592 wrote to memory of 1744 1592 Amnocpdk.exe 42 PID 1592 wrote to memory of 1744 1592 Amnocpdk.exe 42 PID 1744 wrote to memory of 2276 1744 Aoohekal.exe 43 PID 1744 wrote to memory of 2276 1744 Aoohekal.exe 43 PID 1744 wrote to memory of 2276 1744 Aoohekal.exe 43 PID 1744 wrote to memory of 2276 1744 Aoohekal.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c8bc2690370736f45bfad838aca2afd2.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c8bc2690370736f45bfad838aca2afd2.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe33⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe34⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe38⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe39⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe45⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe47⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe49⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe50⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe51⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nhpfdaml.exeC:\Windows\system32\Nhpfdaml.exe52⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe56⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe61⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe63⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe64⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe65⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe66⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe67⤵PID:2088
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe68⤵PID:1468
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe69⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe70⤵PID:612
-
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe71⤵PID:2728
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe72⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe73⤵PID:1340
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe74⤵
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe75⤵PID:1864
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe76⤵PID:548
-
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe77⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe79⤵PID:2952
-
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe82⤵PID:672
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe83⤵PID:1780
-
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1104 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe85⤵PID:1020
-
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe86⤵PID:2384
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe87⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe88⤵PID:540
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe91⤵PID:2440
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe93⤵PID:2544
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe95⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe96⤵PID:1828
-
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe97⤵PID:1592
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe98⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe99⤵PID:988
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe101⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe102⤵PID:1108
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe103⤵PID:2984
-
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe104⤵PID:2164
-
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe106⤵PID:1640
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe107⤵PID:2252
-
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe108⤵PID:2376
-
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe109⤵PID:1092
-
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe110⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe111⤵PID:1156
-
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe112⤵PID:2208
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe113⤵PID:696
-
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe114⤵PID:2476
-
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe115⤵PID:2972
-
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe116⤵PID:2320
-
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe118⤵PID:2824
-
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe119⤵PID:1748
-
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe120⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-