Analysis
-
max time kernel
88s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2023, 08:38
Behavioral task
behavioral1
Sample
NEAS.642efc15a60d1e832b2c4840bab678af.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.642efc15a60d1e832b2c4840bab678af.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.642efc15a60d1e832b2c4840bab678af.exe
-
Size
378KB
-
MD5
642efc15a60d1e832b2c4840bab678af
-
SHA1
2815e18d6e52c0941462448c69c3bcaafb2a371d
-
SHA256
6f5efb67c2db9deb00172ee71c3cce13502a544279ea682cce3ee0c4ecbb601d
-
SHA512
a2a418afae7d0883a9be14b53b66a974a03abfecada70eeb5a5e8e472cd541fd7f3cecdd49f6768877ed206a2d4fc191d77515cd59b3cdcc4d6f5c28499d08b5
-
SSDEEP
6144:rLMD6YlrfGbqprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5Vm:rW6CrRMsEat9pG4l+0K7WHT91M52vVAu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofmobmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdagpnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lchfib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmncif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkokcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkfqgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhekaejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbajjlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnaeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbifol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgeakekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbblhnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagngjmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeihiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amoknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Higjaoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piolkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidgai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcneeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkljfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lacijjgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dghadidj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecbge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x00090000000224ad-7.dat family_berbew behavioral2/files/0x00090000000224ad-9.dat family_berbew behavioral2/files/0x0007000000022e5c-15.dat family_berbew behavioral2/files/0x0007000000022e5c-17.dat family_berbew behavioral2/files/0x0006000000022e61-24.dat family_berbew behavioral2/files/0x0006000000022e61-23.dat family_berbew behavioral2/files/0x0006000000022e63-32.dat family_berbew behavioral2/files/0x0006000000022e65-39.dat family_berbew behavioral2/files/0x0006000000022e63-31.dat family_berbew behavioral2/files/0x0006000000022e65-41.dat family_berbew behavioral2/files/0x0006000000022e67-47.dat family_berbew behavioral2/files/0x0006000000022e67-49.dat family_berbew behavioral2/files/0x0006000000022e6a-55.dat family_berbew behavioral2/files/0x0006000000022e6a-57.dat family_berbew behavioral2/files/0x0006000000022e6d-63.dat family_berbew behavioral2/files/0x0006000000022e6d-65.dat family_berbew behavioral2/files/0x0006000000022e71-73.dat family_berbew behavioral2/files/0x0006000000022e71-71.dat family_berbew behavioral2/files/0x0006000000022e73-74.dat family_berbew behavioral2/files/0x0006000000022e73-79.dat family_berbew behavioral2/files/0x0006000000022e73-81.dat family_berbew behavioral2/files/0x0006000000022e75-88.dat family_berbew behavioral2/files/0x0006000000022e75-90.dat family_berbew behavioral2/files/0x0006000000022e77-91.dat family_berbew behavioral2/files/0x0006000000022e77-96.dat family_berbew behavioral2/files/0x0006000000022e77-98.dat family_berbew behavioral2/files/0x0006000000022e79-104.dat family_berbew behavioral2/files/0x0006000000022e79-106.dat family_berbew behavioral2/files/0x0006000000022e7b-112.dat family_berbew behavioral2/files/0x0006000000022e7b-114.dat family_berbew behavioral2/files/0x0006000000022e7d-120.dat family_berbew behavioral2/files/0x0006000000022e7d-121.dat family_berbew behavioral2/files/0x0006000000022e7f-128.dat family_berbew behavioral2/files/0x0006000000022e7f-130.dat family_berbew behavioral2/files/0x0006000000022e81-136.dat family_berbew behavioral2/files/0x0006000000022e81-138.dat family_berbew behavioral2/files/0x0006000000022e83-144.dat family_berbew behavioral2/files/0x0006000000022e83-145.dat family_berbew behavioral2/files/0x0006000000022e85-152.dat family_berbew behavioral2/files/0x0006000000022e85-154.dat family_berbew behavioral2/files/0x0006000000022e87-160.dat family_berbew behavioral2/files/0x0006000000022e87-162.dat family_berbew behavioral2/files/0x0006000000022e8b-168.dat family_berbew behavioral2/files/0x0006000000022e8b-170.dat family_berbew behavioral2/files/0x0006000000022e8d-177.dat family_berbew behavioral2/files/0x0006000000022e8d-176.dat family_berbew behavioral2/files/0x0006000000022e91-186.dat family_berbew behavioral2/files/0x0006000000022e91-184.dat family_berbew behavioral2/files/0x0006000000022e93-192.dat family_berbew behavioral2/files/0x0006000000022e93-194.dat family_berbew behavioral2/files/0x0006000000022e95-200.dat family_berbew behavioral2/files/0x0006000000022e95-201.dat family_berbew behavioral2/files/0x0006000000022e97-208.dat family_berbew behavioral2/files/0x0006000000022e9f-232.dat family_berbew behavioral2/files/0x0006000000022e9d-225.dat family_berbew behavioral2/files/0x0006000000022e9d-224.dat family_berbew behavioral2/files/0x0006000000022e9b-217.dat family_berbew behavioral2/files/0x0006000000022e9b-216.dat family_berbew behavioral2/files/0x0006000000022ea3-249.dat family_berbew behavioral2/files/0x0006000000022ea7-264.dat family_berbew behavioral2/files/0x0006000000022ea5-257.dat family_berbew behavioral2/files/0x0006000000022ea5-256.dat family_berbew behavioral2/files/0x0006000000022ea1-241.dat family_berbew behavioral2/files/0x0006000000022ea1-240.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4976 Eiieicml.exe 4724 Fbajbi32.exe 1544 Fpejlmcf.exe 1620 Fimodc32.exe 4716 Fdccbl32.exe 1396 Fmkgkapm.exe 3556 Fffhifdk.exe 3124 Gdjibj32.exe 3660 Glengm32.exe 4776 Gpcfmkff.exe 4352 Gpecbk32.exe 2856 Gbfldf32.exe 4564 Hbhijepa.exe 1812 Hgfapd32.exe 2848 Higjaoci.exe 2624 Hgkkkcbc.exe 1564 Jlobkg32.exe 1472 Kmaopfjm.exe 2532 Kmdlffhj.exe 4556 Kdkdgchl.exe 1044 Kglmio32.exe 2392 Kjmfjj32.exe 4848 Kmkbfeab.exe 1900 Lgqfdnah.exe 2660 Lcggio32.exe 4180 Lmpkadnm.exe 3876 Lqndhcdc.exe 4832 Lggldm32.exe 4340 Lnadagbm.exe 232 Lgjijmin.exe 4688 Lndagg32.exe 4140 Mcqjon32.exe 1456 Mminhceb.exe 2948 Mmkkmc32.exe 2956 Mjokgg32.exe 800 Mgclpkac.exe 3220 Malpia32.exe 2268 Mgehfkop.exe 4204 Mmbanbmg.exe 1460 Nlcalieg.exe 1580 Njinmf32.exe 64 Nenbjo32.exe 3604 Njkkbehl.exe 3656 Naecop32.exe 656 Nlkgmh32.exe 1868 Neclenfo.exe 4176 Njpdnedf.exe 3580 Oeehkn32.exe 2584 Oloahhki.exe 4516 Oeheqm32.exe 4880 Ojdnid32.exe 1000 Oejbfmpg.exe 980 Oldjcg32.exe 1576 Oelolmnd.exe 1248 Olfghg32.exe 3908 Omgcpokp.exe 4016 Olicnfco.exe 3320 Paelfmaf.exe 4476 Plkpcfal.exe 5056 Pmlmkn32.exe 3328 Pkpmdbfd.exe 5084 Plpjoe32.exe 968 Pdkoch32.exe 1640 Pkegpb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cihbeo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Keoaokpd.dll Hemmac32.exe File opened for modification C:\Windows\SysWOW64\Lmlpjdgo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mdkabmjf.exe Lmqiec32.exe File created C:\Windows\SysWOW64\Kogffd32.dll Process not Found File created C:\Windows\SysWOW64\Lhnhajba.exe Lepleocn.exe File created C:\Windows\SysWOW64\Paifdeda.dll Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Qhghge32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qhddgofo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mgehfkop.exe Malpia32.exe File created C:\Windows\SysWOW64\Fechok32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Fnollh32.dll Process not Found File created C:\Windows\SysWOW64\Ebeapc32.exe Process not Found File created C:\Windows\SysWOW64\Hddejjdo.exe Process not Found File created C:\Windows\SysWOW64\Cjkjpdog.dll Process not Found File created C:\Windows\SysWOW64\Blgmmd32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pkpmdbfd.exe Pmlmkn32.exe File opened for modification C:\Windows\SysWOW64\Hefnkkkj.exe Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Kocphojh.exe Khihld32.exe File opened for modification C:\Windows\SysWOW64\Bbbblhnc.exe Bkhjpn32.exe File opened for modification C:\Windows\SysWOW64\Nfnooe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mnojcb32.exe Process not Found File created C:\Windows\SysWOW64\Filclgic.dll Gfodeohd.exe File created C:\Windows\SysWOW64\Nlccpl32.dll Glqkefff.exe File created C:\Windows\SysWOW64\Iiaggc32.exe Process not Found File created C:\Windows\SysWOW64\Npognfpo.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ohgopgfj.exe Process not Found File created C:\Windows\SysWOW64\Bbniai32.exe Bghddp32.exe File created C:\Windows\SysWOW64\Mpdgbkab.exe Process not Found File created C:\Windows\SysWOW64\Doidql32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Domdjj32.exe Dhclmp32.exe File created C:\Windows\SysWOW64\Gdmpga32.dll Onapdl32.exe File created C:\Windows\SysWOW64\Ckgohf32.exe Chiblk32.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cpfcfmlp.exe File created C:\Windows\SysWOW64\Pbfjjlgc.exe Pgaelcgm.exe File created C:\Windows\SysWOW64\Hfgloiqf.exe Process not Found File created C:\Windows\SysWOW64\Pdmgmj32.dll Process not Found File created C:\Windows\SysWOW64\Bhbcfbjk.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Jiiicf32.exe Jocefm32.exe File created C:\Windows\SysWOW64\Pakfglam.dll Process not Found File created C:\Windows\SysWOW64\Icldmjph.dll Bblcfo32.exe File opened for modification C:\Windows\SysWOW64\Lmdbooik.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cgpcklpd.exe Process not Found File created C:\Windows\SysWOW64\Flhlak32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Jmijnfgd.exe Process not Found File created C:\Windows\SysWOW64\Akhaipei.exe Adnilfnl.exe File created C:\Windows\SysWOW64\Gibpcnbo.dll Process not Found File created C:\Windows\SysWOW64\Jajdff32.exe Process not Found File created C:\Windows\SysWOW64\Naegfb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eelpqi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Haclio32.exe Process not Found File created C:\Windows\SysWOW64\Hlipfh32.exe Process not Found File created C:\Windows\SysWOW64\Hjpdjplo.dll Process not Found File created C:\Windows\SysWOW64\Kplcjb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hlmiagbo.exe Process not Found File created C:\Windows\SysWOW64\Aknhkd32.dll Fbjena32.exe File created C:\Windows\SysWOW64\Dahcld32.dll Igdgglfl.exe File created C:\Windows\SysWOW64\Fgcpfdbd.dll Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Cicjokll.exe Process not Found File created C:\Windows\SysWOW64\Nnnodhei.dll Process not Found File created C:\Windows\SysWOW64\Ddkpoelb.exe Process not Found File created C:\Windows\SysWOW64\Qgfahk32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 7368 6260 Process not Found 2192 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiglnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocooahdo.dll" Ephlnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnheh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmijnfgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehkefih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibagbeol.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haafdi32.dll" Pmoagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhecfchk.dll" Ggfobofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coqncejg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcfdc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clbmfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbkkfg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpjjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkdad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abaqlb32.dll" Dmbiackg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkhkced.dll" Fnqebaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjblgka.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnqebaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdfipld.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll" Fdbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iejecf32.dll" Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinndkag.dll" Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmaimd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdkapdh.dll" Mekdffee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbblhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqdodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcdcbcl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmcgg32.dll" Eegqldqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fekclnif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddeoah32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3804 wrote to memory of 4976 3804 NEAS.642efc15a60d1e832b2c4840bab678af.exe 86 PID 3804 wrote to memory of 4976 3804 NEAS.642efc15a60d1e832b2c4840bab678af.exe 86 PID 3804 wrote to memory of 4976 3804 NEAS.642efc15a60d1e832b2c4840bab678af.exe 86 PID 4976 wrote to memory of 4724 4976 Eiieicml.exe 87 PID 4976 wrote to memory of 4724 4976 Eiieicml.exe 87 PID 4976 wrote to memory of 4724 4976 Eiieicml.exe 87 PID 4724 wrote to memory of 1544 4724 Fbajbi32.exe 88 PID 4724 wrote to memory of 1544 4724 Fbajbi32.exe 88 PID 4724 wrote to memory of 1544 4724 Fbajbi32.exe 88 PID 1544 wrote to memory of 1620 1544 Fpejlmcf.exe 89 PID 1544 wrote to memory of 1620 1544 Fpejlmcf.exe 89 PID 1544 wrote to memory of 1620 1544 Fpejlmcf.exe 89 PID 1620 wrote to memory of 4716 1620 Fimodc32.exe 90 PID 1620 wrote to memory of 4716 1620 Fimodc32.exe 90 PID 1620 wrote to memory of 4716 1620 Fimodc32.exe 90 PID 4716 wrote to memory of 1396 4716 Fdccbl32.exe 91 PID 4716 wrote to memory of 1396 4716 Fdccbl32.exe 91 PID 4716 wrote to memory of 1396 4716 Fdccbl32.exe 91 PID 1396 wrote to memory of 3556 1396 Fmkgkapm.exe 92 PID 1396 wrote to memory of 3556 1396 Fmkgkapm.exe 92 PID 1396 wrote to memory of 3556 1396 Fmkgkapm.exe 92 PID 3556 wrote to memory of 3124 3556 Fffhifdk.exe 93 PID 3556 wrote to memory of 3124 3556 Fffhifdk.exe 93 PID 3556 wrote to memory of 3124 3556 Fffhifdk.exe 93 PID 3124 wrote to memory of 3660 3124 Gdjibj32.exe 94 PID 3124 wrote to memory of 3660 3124 Gdjibj32.exe 94 PID 3124 wrote to memory of 3660 3124 Gdjibj32.exe 94 PID 3660 wrote to memory of 4776 3660 Glengm32.exe 96 PID 3660 wrote to memory of 4776 3660 Glengm32.exe 96 PID 3660 wrote to memory of 4776 3660 Glengm32.exe 96 PID 4776 wrote to memory of 4352 4776 Gpcfmkff.exe 97 PID 4776 wrote to memory of 4352 4776 Gpcfmkff.exe 97 PID 4776 wrote to memory of 4352 4776 Gpcfmkff.exe 97 PID 4352 wrote to memory of 2856 4352 Gpecbk32.exe 98 PID 4352 wrote to memory of 2856 4352 Gpecbk32.exe 98 PID 4352 wrote to memory of 2856 4352 Gpecbk32.exe 98 PID 2856 wrote to memory of 4564 2856 Gbfldf32.exe 100 PID 2856 wrote to memory of 4564 2856 Gbfldf32.exe 100 PID 2856 wrote to memory of 4564 2856 Gbfldf32.exe 100 PID 4564 wrote to memory of 1812 4564 Hbhijepa.exe 101 PID 4564 wrote to memory of 1812 4564 Hbhijepa.exe 101 PID 4564 wrote to memory of 1812 4564 Hbhijepa.exe 101 PID 1812 wrote to memory of 2848 1812 Hgfapd32.exe 102 PID 1812 wrote to memory of 2848 1812 Hgfapd32.exe 102 PID 1812 wrote to memory of 2848 1812 Hgfapd32.exe 102 PID 2848 wrote to memory of 2624 2848 Higjaoci.exe 103 PID 2848 wrote to memory of 2624 2848 Higjaoci.exe 103 PID 2848 wrote to memory of 2624 2848 Higjaoci.exe 103 PID 2624 wrote to memory of 1564 2624 Hgkkkcbc.exe 104 PID 2624 wrote to memory of 1564 2624 Hgkkkcbc.exe 104 PID 2624 wrote to memory of 1564 2624 Hgkkkcbc.exe 104 PID 1564 wrote to memory of 1472 1564 Jlobkg32.exe 105 PID 1564 wrote to memory of 1472 1564 Jlobkg32.exe 105 PID 1564 wrote to memory of 1472 1564 Jlobkg32.exe 105 PID 1472 wrote to memory of 2532 1472 Kmaopfjm.exe 107 PID 1472 wrote to memory of 2532 1472 Kmaopfjm.exe 107 PID 1472 wrote to memory of 2532 1472 Kmaopfjm.exe 107 PID 2532 wrote to memory of 4556 2532 Kmdlffhj.exe 108 PID 2532 wrote to memory of 4556 2532 Kmdlffhj.exe 108 PID 2532 wrote to memory of 4556 2532 Kmdlffhj.exe 108 PID 4556 wrote to memory of 1044 4556 Kdkdgchl.exe 109 PID 4556 wrote to memory of 1044 4556 Kdkdgchl.exe 109 PID 4556 wrote to memory of 1044 4556 Kdkdgchl.exe 109 PID 1044 wrote to memory of 2392 1044 Kglmio32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.642efc15a60d1e832b2c4840bab678af.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.642efc15a60d1e832b2c4840bab678af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Fdccbl32.exeC:\Windows\system32\Fdccbl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jlobkg32.exeC:\Windows\system32\Jlobkg32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Kdkdgchl.exeC:\Windows\system32\Kdkdgchl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe23⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe24⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe25⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe26⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe27⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe28⤵PID:408
-
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe29⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe30⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Lnadagbm.exeC:\Windows\system32\Lnadagbm.exe31⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe32⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Lndagg32.exeC:\Windows\system32\Lndagg32.exe33⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe34⤵
- Executes dropped EXE
PID:4140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe1⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe2⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Mgclpkac.exeC:\Windows\system32\Mgclpkac.exe3⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe5⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe6⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe7⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe8⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe9⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Njkkbehl.exeC:\Windows\system32\Njkkbehl.exe10⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe11⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Nlkgmh32.exeC:\Windows\system32\Nlkgmh32.exe12⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Neclenfo.exeC:\Windows\system32\Neclenfo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe14⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe15⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Oloahhki.exeC:\Windows\system32\Oloahhki.exe16⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe17⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe18⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe19⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe20⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe21⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe22⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Omgcpokp.exeC:\Windows\system32\Omgcpokp.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe24⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe25⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe26⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5056 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe28⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Plpjoe32.exeC:\Windows\system32\Plpjoe32.exe29⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe30⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Pkegpb32.exeC:\Windows\system32\Pkegpb32.exe31⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe32⤵PID:4620
-
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe33⤵
- Modifies registry class
PID:4988 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe34⤵PID:3840
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe35⤵PID:4812
-
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe36⤵PID:792
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe37⤵PID:860
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe38⤵PID:1300
-
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe39⤵PID:264
-
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe40⤵PID:1892
-
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe41⤵PID:5132
-
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe42⤵PID:5172
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe43⤵PID:5212
-
C:\Windows\SysWOW64\Anclbkbp.exeC:\Windows\system32\Anclbkbp.exe44⤵PID:5268
-
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe45⤵PID:5304
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe46⤵PID:5348
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe47⤵PID:5396
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe48⤵PID:5464
-
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe49⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe50⤵PID:5576
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe51⤵PID:5624
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe52⤵PID:5672
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe53⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe54⤵PID:5796
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe55⤵PID:5836
-
C:\Windows\SysWOW64\Bffcpg32.exeC:\Windows\system32\Bffcpg32.exe56⤵PID:5892
-
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe57⤵PID:5956
-
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe58⤵PID:6012
-
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe60⤵PID:6104
-
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe61⤵PID:5124
-
C:\Windows\SysWOW64\Cnfaohbj.exeC:\Windows\system32\Cnfaohbj.exe62⤵PID:5196
-
C:\Windows\SysWOW64\Cdpjlb32.exeC:\Windows\system32\Cdpjlb32.exe63⤵PID:5292
-
C:\Windows\SysWOW64\Cofnik32.exeC:\Windows\system32\Cofnik32.exe64⤵PID:5360
-
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe65⤵PID:5436
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe66⤵PID:5552
-
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe67⤵PID:5636
-
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe69⤵PID:5844
-
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe70⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe71⤵PID:6024
-
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe72⤵PID:6084
-
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe73⤵PID:5164
-
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe74⤵PID:5288
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe75⤵PID:5448
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe76⤵PID:5588
-
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe77⤵PID:5724
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe78⤵PID:5888
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe79⤵PID:6004
-
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe80⤵
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe81⤵PID:5248
-
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe82⤵PID:5336
-
C:\Windows\SysWOW64\Eejeiocj.exeC:\Windows\system32\Eejeiocj.exe83⤵PID:5544
-
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe84⤵PID:5808
-
C:\Windows\SysWOW64\Enbjad32.exeC:\Windows\system32\Enbjad32.exe85⤵PID:5964
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe86⤵PID:5156
-
C:\Windows\SysWOW64\Fmcjpl32.exeC:\Windows\system32\Fmcjpl32.exe87⤵PID:5356
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe88⤵PID:5692
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe89⤵PID:5204
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe90⤵
- Drops file in System32 directory
PID:3460 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe91⤵PID:5848
-
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe92⤵PID:5972
-
C:\Windows\SysWOW64\Gfhndpol.exeC:\Windows\system32\Gfhndpol.exe93⤵PID:6176
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe94⤵PID:6220
-
C:\Windows\SysWOW64\Gfjkjo32.exeC:\Windows\system32\Gfjkjo32.exe95⤵PID:6260
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe96⤵PID:6308
-
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe97⤵PID:6344
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe98⤵PID:6392
-
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe99⤵
- Modifies registry class
PID:6424 -
C:\Windows\SysWOW64\Gfodeohd.exeC:\Windows\system32\Gfodeohd.exe100⤵
- Drops file in System32 directory
PID:6472 -
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe101⤵PID:6508
-
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe102⤵PID:6556
-
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe103⤵PID:6608
-
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe104⤵
- Drops file in System32 directory
PID:6652 -
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe105⤵PID:6696
-
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe106⤵PID:6740
-
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe107⤵PID:6784
-
C:\Windows\SysWOW64\Hidgai32.exeC:\Windows\system32\Hidgai32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6828 -
C:\Windows\SysWOW64\Hpnoncim.exeC:\Windows\system32\Hpnoncim.exe109⤵PID:6872
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6916 -
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe111⤵PID:6960
-
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe112⤵PID:7016
-
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe113⤵PID:7060
-
C:\Windows\SysWOW64\Hoeieolb.exeC:\Windows\system32\Hoeieolb.exe114⤵PID:7100
-
C:\Windows\SysWOW64\Iliinc32.exeC:\Windows\system32\Iliinc32.exe115⤵PID:7144
-
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe116⤵PID:5408
-
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe117⤵PID:6244
-
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe118⤵PID:6300
-
C:\Windows\SysWOW64\Imkbnf32.exeC:\Windows\system32\Imkbnf32.exe119⤵PID:6380
-
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe120⤵
- Drops file in System32 directory
PID:6448 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe121⤵PID:6524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-