Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 09:15
Behavioral task
behavioral1
Sample
NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe
-
Size
445KB
-
MD5
bedd83aa87420c8d441b80727b764b50
-
SHA1
43f66c706f6d1e8bc4fb170fb97fe50d9f6ba2a3
-
SHA256
aa5a4ffab3199ed0322fdcd1865e7908fc99d76707ca4e0503c2e0a09f68e7a4
-
SHA512
af61f31907f49965c18eb1550406e044ef79e0e61a1f06e846326c6f05062ebd4b5bfef14dcbf8866f100008bdb7e4d2865938d8f9ac06417e81909253b0ed7d
-
SSDEEP
12288:r0k+NwBrpV6yYPMLnfBJKFbhDwBpV6yYP0riuoCgNbbko8JfSIuMUb1V4D0:r/kwBrWMLnfBJKhVwBW0riuoCgNbbj8k
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgepanl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmcgcmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojopk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpleig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjcmngnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdfjld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeeci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbbmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odjmdocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddnfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfcfmlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afnnnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpnfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahpmjejp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeopfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqmeal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbcmakpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keifdpif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbbgicnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcmngnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohqnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdmcdhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqoiqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndeii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foclgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahenokjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgmaqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjgchm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahaceo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckbncapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klddlckd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mqkiok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022cda-5.dat family_berbew behavioral2/files/0x0006000000022cda-8.dat family_berbew behavioral2/files/0x0006000000022cdc-14.dat family_berbew behavioral2/files/0x0006000000022cdc-15.dat family_berbew behavioral2/files/0x0006000000022cde-22.dat family_berbew behavioral2/files/0x0006000000022cde-24.dat family_berbew behavioral2/files/0x0006000000022ce0-30.dat family_berbew behavioral2/files/0x0006000000022ce0-32.dat family_berbew behavioral2/files/0x0006000000022ce2-33.dat family_berbew behavioral2/files/0x0006000000022ce2-38.dat family_berbew behavioral2/files/0x0006000000022ce2-40.dat family_berbew behavioral2/files/0x0006000000022ce4-46.dat family_berbew behavioral2/files/0x0006000000022ce4-48.dat family_berbew behavioral2/files/0x0006000000022ce6-54.dat family_berbew behavioral2/files/0x0006000000022ce6-56.dat family_berbew behavioral2/files/0x0006000000022ce8-63.dat family_berbew behavioral2/files/0x0006000000022ce8-62.dat family_berbew behavioral2/files/0x0006000000022cea-70.dat family_berbew behavioral2/files/0x0006000000022cea-72.dat family_berbew behavioral2/files/0x0006000000022cee-78.dat family_berbew behavioral2/files/0x0006000000022cee-80.dat family_berbew behavioral2/files/0x0006000000022cf1-86.dat family_berbew behavioral2/files/0x0006000000022cf1-88.dat family_berbew behavioral2/files/0x0006000000022cf4-94.dat family_berbew behavioral2/files/0x0006000000022cf4-96.dat family_berbew behavioral2/files/0x0006000000022cf6-102.dat family_berbew behavioral2/files/0x0006000000022cf6-104.dat family_berbew behavioral2/files/0x0006000000022cf8-112.dat family_berbew behavioral2/files/0x0006000000022cf8-110.dat family_berbew behavioral2/files/0x0006000000022cfc-118.dat family_berbew behavioral2/files/0x0006000000022cfc-119.dat family_berbew behavioral2/files/0x0006000000022cfe-126.dat family_berbew behavioral2/files/0x0006000000022cfe-128.dat family_berbew behavioral2/files/0x0006000000022d01-129.dat family_berbew behavioral2/files/0x0006000000022d01-134.dat family_berbew behavioral2/files/0x0006000000022d01-136.dat family_berbew behavioral2/files/0x0006000000022d03-142.dat family_berbew behavioral2/files/0x0006000000022d03-144.dat family_berbew behavioral2/files/0x0006000000022d0c-150.dat family_berbew behavioral2/files/0x0006000000022d0c-152.dat family_berbew behavioral2/files/0x0007000000022d0e-159.dat family_berbew behavioral2/files/0x0007000000022d0e-158.dat family_berbew behavioral2/files/0x0006000000022d14-166.dat family_berbew behavioral2/files/0x0006000000022d14-167.dat family_berbew behavioral2/files/0x0006000000022d17-176.dat family_berbew behavioral2/files/0x0006000000022d17-174.dat family_berbew behavioral2/files/0x0007000000022d08-182.dat family_berbew behavioral2/files/0x0007000000022d08-183.dat family_berbew behavioral2/files/0x0007000000022d19-190.dat family_berbew behavioral2/files/0x0007000000022d19-192.dat family_berbew behavioral2/files/0x0006000000022d1c-193.dat family_berbew behavioral2/files/0x0006000000022d1c-198.dat family_berbew behavioral2/files/0x0007000000022d12-206.dat family_berbew behavioral2/files/0x0007000000022d12-208.dat family_berbew behavioral2/files/0x0008000000022d16-214.dat family_berbew behavioral2/files/0x0008000000022d16-215.dat family_berbew behavioral2/files/0x0006000000022d1d-223.dat family_berbew behavioral2/files/0x0006000000022d1f-230.dat family_berbew behavioral2/files/0x0006000000022d1f-231.dat family_berbew behavioral2/files/0x0006000000022d1d-222.dat family_berbew behavioral2/files/0x0006000000022d21-239.dat family_berbew behavioral2/files/0x0006000000022d21-238.dat family_berbew behavioral2/files/0x0006000000022d23-246.dat family_berbew behavioral2/files/0x0006000000022d23-248.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3264 Qqhcpo32.exe 3472 Aqmlknnd.exe 3928 Aqoiqn32.exe 4548 Afnnnd32.exe 884 Bgpgng32.exe 2328 Bidqko32.exe 2712 Bqmeal32.exe 4448 Cmdfgm32.exe 4172 Cikglnkj.exe 3096 Caghhk32.exe 2272 Cpleig32.exe 4968 Dpnbog32.exe 2372 Djfcaohp.exe 4048 Dfmcfp32.exe 3012 Dfoplpla.exe 1292 Dfamapjo.exe 1064 Ehcfaboo.exe 1736 Eigonjcj.exe 488 Gphgbafl.exe 2140 Hnaqgd32.exe 4788 Hglaej32.exe 3816 Hhknpmma.exe 2204 Injcmc32.exe 1360 Iqklon32.exe 1672 Ijcahd32.exe 2136 Ibobdqid.exe 752 Jdpkflfe.exe 4620 Jjmcnbdm.exe 3524 Jhndljll.exe 1904 Jgcamf32.exe 2088 Jdgafjpn.exe 4496 Kndojobi.exe 4316 Kgopidgf.exe 4360 Kgamnded.exe 2008 Liqihglg.exe 404 Lnnbqnjn.exe 1996 Lnpofnhk.exe 3960 Lejgch32.exe 4928 Lelchgne.exe 3752 Llflea32.exe 1960 Lhmmjbkf.exe 4904 Meamcg32.exe 3064 Mbenmk32.exe 1044 Mnlnbl32.exe 4152 Mlpokp32.exe 2880 Micoed32.exe 4812 Mnphmkji.exe 1620 Nbnpcj32.exe 3324 Nacmdf32.exe 4828 Nklbmllg.exe 2684 Nlkngo32.exe 4296 Nkqkhk32.exe 2740 Nlphbnoe.exe 2724 Oehlkc32.exe 4376 Ooqqdi32.exe 2704 Oaajed32.exe 2212 Ohkbbn32.exe 4684 Oeoblb32.exe 3772 Olijhmgj.exe 3604 Ohpkmn32.exe 3332 Pcepkfld.exe 2820 Plndcl32.exe 2228 Pefhlaie.exe 4564 Pamiaboj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Amhdmi32.exe Acppddig.exe File created C:\Windows\SysWOW64\Jjgobjmp.dll Nlfnaicd.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jocefm32.exe File opened for modification C:\Windows\SysWOW64\Ppnenlka.exe Pbjddh32.exe File created C:\Windows\SysWOW64\Knooej32.exe Jdfjld32.exe File created C:\Windows\SysWOW64\Jlbngnmk.dll Jbncbpqd.exe File opened for modification C:\Windows\SysWOW64\Glldgljg.exe Gljgbllj.exe File created C:\Windows\SysWOW64\Ffqhcq32.exe Fpgpgfmh.exe File created C:\Windows\SysWOW64\Maaekg32.exe Mclhjkfa.exe File created C:\Windows\SysWOW64\Gdknpp32.exe Gnaecedp.exe File created C:\Windows\SysWOW64\Liqihglg.exe Kgamnded.exe File created C:\Windows\SysWOW64\Hleoiomo.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Ngckdnpn.dll Gicgpelg.exe File opened for modification C:\Windows\SysWOW64\Ecdbop32.exe Ekimjn32.exe File opened for modification C:\Windows\SysWOW64\Ickglm32.exe Ilqoobdd.exe File opened for modification C:\Windows\SysWOW64\Ppgomnai.exe Pimfpc32.exe File created C:\Windows\SysWOW64\Ekjded32.exe Ebaplnie.exe File created C:\Windows\SysWOW64\Oodcdb32.exe Odoogi32.exe File created C:\Windows\SysWOW64\Cqichhmn.dll Pknqoc32.exe File opened for modification C:\Windows\SysWOW64\Efeihb32.exe Eeelnp32.exe File opened for modification C:\Windows\SysWOW64\Pdmdnadc.exe Pnmopk32.exe File created C:\Windows\SysWOW64\Iqklon32.exe Injcmc32.exe File created C:\Windows\SysWOW64\Ecgcfm32.exe Emmkiclm.exe File created C:\Windows\SysWOW64\Iefgbh32.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Ichqihli.dll Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Lnpofnhk.exe Lnnbqnjn.exe File created C:\Windows\SysWOW64\Mckdpoji.dll Jnjejjgh.exe File opened for modification C:\Windows\SysWOW64\Fdlkdhnk.exe Fooclapd.exe File created C:\Windows\SysWOW64\Hpmhdmea.exe Hpkknmgd.exe File opened for modification C:\Windows\SysWOW64\Eafbmgad.exe Ecdbop32.exe File created C:\Windows\SysWOW64\Oapijm32.dll Infhebbh.exe File created C:\Windows\SysWOW64\Oenqhaga.dll Dimenegi.exe File created C:\Windows\SysWOW64\Fihgkk32.dll Ljeafb32.exe File created C:\Windows\SysWOW64\Lacaea32.dll Dnajppda.exe File opened for modification C:\Windows\SysWOW64\Ajdbac32.exe Apnndj32.exe File created C:\Windows\SysWOW64\Gjcmngnj.exe Gdgdeppb.exe File created C:\Windows\SysWOW64\Hopaik32.dll Lojfin32.exe File opened for modification C:\Windows\SysWOW64\Cpleig32.exe Caghhk32.exe File opened for modification C:\Windows\SysWOW64\Hffken32.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jgkdbacp.exe File opened for modification C:\Windows\SysWOW64\Ofmdio32.exe Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Mbibfm32.exe Mqhfoebo.exe File created C:\Windows\SysWOW64\Pknqoc32.exe Paelfmaf.exe File created C:\Windows\SysWOW64\Aablof32.dll Kpmdfonj.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lfbped32.exe File created C:\Windows\SysWOW64\Nqfbpb32.exe Njljch32.exe File opened for modification C:\Windows\SysWOW64\Lehhqg32.exe Lefkkg32.exe File created C:\Windows\SysWOW64\Meamcg32.exe Lhmmjbkf.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Omalpc32.exe File created C:\Windows\SysWOW64\Ompbfo32.dll Hbknebqi.exe File created C:\Windows\SysWOW64\Mglfplgk.exe Ljhefhha.exe File created C:\Windows\SysWOW64\Chiblk32.exe Caojpaij.exe File opened for modification C:\Windows\SysWOW64\Kiikpnmj.exe Kabcopmg.exe File created C:\Windows\SysWOW64\Gbhhqamj.dll Njgqhicg.exe File opened for modification C:\Windows\SysWOW64\Omalpc32.exe Ofgdcipq.exe File created C:\Windows\SysWOW64\Mlpokp32.exe Mnlnbl32.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fflohaij.exe File created C:\Windows\SysWOW64\Eepmqdbn.dll Afpjel32.exe File created C:\Windows\SysWOW64\Ajdbac32.exe Apnndj32.exe File created C:\Windows\SysWOW64\Hiipmhmk.exe Hlepcdoa.exe File created C:\Windows\SysWOW64\Odjmdocp.exe Obkahddl.exe File created C:\Windows\SysWOW64\Jcleff32.dll Ncnofeof.exe File created C:\Windows\SysWOW64\Ilhkigcd.exe Iabglnco.exe File created C:\Windows\SysWOW64\Bihice32.dll Omalpc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jhndljll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcgjd32.dll" Lhmmjbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncmhko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dcnqpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" Illfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lehhqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oeoblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khliclno.dll" Palbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblnengb.dll" Hkcbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll" Biklho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ingpmmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hiipmhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll" Mqhfoebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll" Fofilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll" Khfkfedn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebiel32.dll" Njkkbehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll" Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll" Jjnaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kapfiqoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcplmmbl.dll" Nacmdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll" Cmbgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncepolj.dll" Ggkqgaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fooclapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hqdkkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkfkng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjkejin.dll" Jikoopij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icogcjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgkjlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnngpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boldhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdgdeppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jlgepanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppgomnai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqkamhk.dll" Bkafmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbcmakpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pknqoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oooaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Foclgq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 3264 1516 NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe 87 PID 1516 wrote to memory of 3264 1516 NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe 87 PID 1516 wrote to memory of 3264 1516 NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe 87 PID 3264 wrote to memory of 3472 3264 Qqhcpo32.exe 88 PID 3264 wrote to memory of 3472 3264 Qqhcpo32.exe 88 PID 3264 wrote to memory of 3472 3264 Qqhcpo32.exe 88 PID 3472 wrote to memory of 3928 3472 Aqmlknnd.exe 90 PID 3472 wrote to memory of 3928 3472 Aqmlknnd.exe 90 PID 3472 wrote to memory of 3928 3472 Aqmlknnd.exe 90 PID 3928 wrote to memory of 4548 3928 Aqoiqn32.exe 91 PID 3928 wrote to memory of 4548 3928 Aqoiqn32.exe 91 PID 3928 wrote to memory of 4548 3928 Aqoiqn32.exe 91 PID 4548 wrote to memory of 884 4548 Afnnnd32.exe 92 PID 4548 wrote to memory of 884 4548 Afnnnd32.exe 92 PID 4548 wrote to memory of 884 4548 Afnnnd32.exe 92 PID 884 wrote to memory of 2328 884 Bgpgng32.exe 93 PID 884 wrote to memory of 2328 884 Bgpgng32.exe 93 PID 884 wrote to memory of 2328 884 Bgpgng32.exe 93 PID 2328 wrote to memory of 2712 2328 Bidqko32.exe 94 PID 2328 wrote to memory of 2712 2328 Bidqko32.exe 94 PID 2328 wrote to memory of 2712 2328 Bidqko32.exe 94 PID 2712 wrote to memory of 4448 2712 Bqmeal32.exe 95 PID 2712 wrote to memory of 4448 2712 Bqmeal32.exe 95 PID 2712 wrote to memory of 4448 2712 Bqmeal32.exe 95 PID 4448 wrote to memory of 4172 4448 Cmdfgm32.exe 96 PID 4448 wrote to memory of 4172 4448 Cmdfgm32.exe 96 PID 4448 wrote to memory of 4172 4448 Cmdfgm32.exe 96 PID 4172 wrote to memory of 3096 4172 Cikglnkj.exe 97 PID 4172 wrote to memory of 3096 4172 Cikglnkj.exe 97 PID 4172 wrote to memory of 3096 4172 Cikglnkj.exe 97 PID 3096 wrote to memory of 2272 3096 Caghhk32.exe 99 PID 3096 wrote to memory of 2272 3096 Caghhk32.exe 99 PID 3096 wrote to memory of 2272 3096 Caghhk32.exe 99 PID 2272 wrote to memory of 4968 2272 Cpleig32.exe 100 PID 2272 wrote to memory of 4968 2272 Cpleig32.exe 100 PID 2272 wrote to memory of 4968 2272 Cpleig32.exe 100 PID 4968 wrote to memory of 2372 4968 Dpnbog32.exe 102 PID 4968 wrote to memory of 2372 4968 Dpnbog32.exe 102 PID 4968 wrote to memory of 2372 4968 Dpnbog32.exe 102 PID 2372 wrote to memory of 4048 2372 Djfcaohp.exe 103 PID 2372 wrote to memory of 4048 2372 Djfcaohp.exe 103 PID 2372 wrote to memory of 4048 2372 Djfcaohp.exe 103 PID 4048 wrote to memory of 3012 4048 Dfmcfp32.exe 104 PID 4048 wrote to memory of 3012 4048 Dfmcfp32.exe 104 PID 4048 wrote to memory of 3012 4048 Dfmcfp32.exe 104 PID 3012 wrote to memory of 1292 3012 Dfoplpla.exe 105 PID 3012 wrote to memory of 1292 3012 Dfoplpla.exe 105 PID 3012 wrote to memory of 1292 3012 Dfoplpla.exe 105 PID 1292 wrote to memory of 1064 1292 Dfamapjo.exe 106 PID 1292 wrote to memory of 1064 1292 Dfamapjo.exe 106 PID 1292 wrote to memory of 1064 1292 Dfamapjo.exe 106 PID 1064 wrote to memory of 1736 1064 Ehcfaboo.exe 107 PID 1064 wrote to memory of 1736 1064 Ehcfaboo.exe 107 PID 1064 wrote to memory of 1736 1064 Ehcfaboo.exe 107 PID 1736 wrote to memory of 488 1736 Eigonjcj.exe 108 PID 1736 wrote to memory of 488 1736 Eigonjcj.exe 108 PID 1736 wrote to memory of 488 1736 Eigonjcj.exe 108 PID 488 wrote to memory of 2140 488 Gphgbafl.exe 109 PID 488 wrote to memory of 2140 488 Gphgbafl.exe 109 PID 488 wrote to memory of 2140 488 Gphgbafl.exe 109 PID 2140 wrote to memory of 4788 2140 Hnaqgd32.exe 110 PID 2140 wrote to memory of 4788 2140 Hnaqgd32.exe 110 PID 2140 wrote to memory of 4788 2140 Hnaqgd32.exe 110 PID 4788 wrote to memory of 3816 4788 Hglaej32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bedd83aa87420c8d441b80727b764b50_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Afnnnd32.exeC:\Windows\system32\Afnnnd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Bqmeal32.exeC:\Windows\system32\Bqmeal32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe23⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe25⤵
- Executes dropped EXE
PID:1360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe1⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe2⤵PID:2448
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe3⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe4⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe5⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe6⤵
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe7⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe8⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe9⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe10⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe12⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe14⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe15⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe17⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe19⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe20⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe22⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe23⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe24⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe25⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe27⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe28⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe29⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe30⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe31⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe32⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe33⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe34⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe37⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe38⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Plndcl32.exeC:\Windows\system32\Plndcl32.exe39⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe41⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe42⤵PID:1832
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe43⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe44⤵PID:924
-
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe45⤵PID:2772
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe46⤵PID:1300
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe47⤵PID:2900
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe48⤵PID:1332
-
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe49⤵PID:1520
-
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3608 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe51⤵PID:3504
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe52⤵PID:1828
-
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe53⤵
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe54⤵PID:3048
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe55⤵PID:5148
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe56⤵PID:5200
-
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe57⤵PID:5252
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe58⤵PID:5296
-
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe59⤵PID:5364
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe60⤵PID:5428
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe61⤵PID:5484
-
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe62⤵PID:5520
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe63⤵PID:5564
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe64⤵PID:5616
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe65⤵PID:5660
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe66⤵PID:5700
-
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe67⤵PID:5756
-
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe68⤵
- Modifies registry class
PID:5804 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe70⤵
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe71⤵PID:5952
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe72⤵PID:5996
-
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe73⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe74⤵PID:6084
-
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe75⤵PID:6128
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe76⤵PID:5172
-
C:\Windows\SysWOW64\Fbajbi32.exeC:\Windows\system32\Fbajbi32.exe77⤵PID:5244
-
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe78⤵PID:5344
-
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe79⤵PID:5440
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe80⤵PID:5512
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe81⤵PID:5596
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe82⤵PID:5672
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe83⤵PID:5752
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe84⤵PID:5812
-
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe85⤵PID:5896
-
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe86⤵
- Drops file in System32 directory
PID:5988 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe87⤵PID:6056
-
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe88⤵PID:5160
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe89⤵PID:5264
-
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe90⤵PID:5456
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe91⤵
- Modifies registry class
PID:3972 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe92⤵PID:5688
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe93⤵PID:5792
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe94⤵PID:5932
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe95⤵PID:6052
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe97⤵PID:3440
-
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe98⤵
- Drops file in System32 directory
PID:5180 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe99⤵PID:5408
-
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe100⤵PID:5584
-
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe101⤵
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe104⤵PID:6064
-
C:\Windows\SysWOW64\Kdigadjo.exeC:\Windows\system32\Kdigadjo.exe105⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe106⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe107⤵PID:5892
-
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe109⤵PID:5436
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe110⤵PID:5844
-
C:\Windows\SysWOW64\Ljobpiql.exeC:\Windows\system32\Ljobpiql.exe111⤵PID:5216
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe112⤵PID:3536
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe113⤵
- Drops file in System32 directory
PID:6168 -
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe114⤵PID:6204
-
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe115⤵PID:6272
-
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe116⤵PID:6312
-
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe117⤵PID:6356
-
C:\Windows\SysWOW64\Malpia32.exeC:\Windows\system32\Malpia32.exe118⤵PID:6400
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe119⤵PID:6444
-
C:\Windows\SysWOW64\Nclikl32.exeC:\Windows\system32\Nclikl32.exe120⤵PID:6488
-
C:\Windows\SysWOW64\Nmenca32.exeC:\Windows\system32\Nmenca32.exe121⤵PID:6532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-