Analysis
-
max time kernel
168s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 20:02
Behavioral task
behavioral1
Sample
NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe
-
Size
486KB
-
MD5
74dc6b22f5285e4bede8f3f0e0876d20
-
SHA1
2d724231c854efa0734f2484664783a9def587d1
-
SHA256
fc30618ce894f0f49e311a890b9829a368657f950a29c1244b70c33d6c9f1f0f
-
SHA512
1523ee4732581a52e0330227002572dd5d51621680cd2763074e0c9337a2777b0d30f436cc1a8e499beda8c09f41f60ddbb4cd0f8d5243890ba92231feb9027b
-
SSDEEP
12288:iNFHRFbe5qfF8Kfq30TXQYDy3i5/L5r0GBH1eW6:iNBRYqfF8Kfq30TXQYDy3i5/L5r0GBHY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcalae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfeeimj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpnfge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phiekaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealkcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpcjgnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljhchc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjnhiiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfdbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifmjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmfjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpckclld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeapilo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjlkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclhjkfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmifaci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojcidelf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlafaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbkbnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmehnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojbpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajfbmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkedjbgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnlafaio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhcagnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkajk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ienlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgalidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjjkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbfdekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohgokknb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflikm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfceefi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgalidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhiacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmqmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagbaglh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlhnng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnocakfb.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022e06-7.dat family_berbew behavioral2/files/0x0008000000022e06-9.dat family_berbew behavioral2/files/0x0007000000022e0f-17.dat family_berbew behavioral2/files/0x0007000000022e0f-15.dat family_berbew behavioral2/files/0x0007000000022e18-24.dat family_berbew behavioral2/files/0x0007000000022e18-23.dat family_berbew behavioral2/files/0x0007000000022e1a-31.dat family_berbew behavioral2/files/0x0007000000022e1a-33.dat family_berbew behavioral2/files/0x0007000000022e1e-39.dat family_berbew behavioral2/files/0x0007000000022e20-47.dat family_berbew behavioral2/files/0x0007000000022e20-48.dat family_berbew behavioral2/files/0x0007000000022e1e-40.dat family_berbew behavioral2/files/0x0006000000022e23-55.dat family_berbew behavioral2/files/0x0006000000022e23-56.dat family_berbew behavioral2/files/0x0008000000022e0a-64.dat family_berbew behavioral2/files/0x0008000000022e0a-63.dat family_berbew behavioral2/files/0x0006000000022e26-71.dat family_berbew behavioral2/files/0x0006000000022e26-73.dat family_berbew behavioral2/files/0x0006000000022e28-74.dat family_berbew behavioral2/files/0x0006000000022e28-81.dat family_berbew behavioral2/files/0x0006000000022e28-79.dat family_berbew behavioral2/files/0x0006000000022e2a-88.dat family_berbew behavioral2/files/0x0006000000022e2c-96.dat family_berbew behavioral2/files/0x0006000000022e2a-89.dat family_berbew behavioral2/files/0x0006000000022e2c-97.dat family_berbew behavioral2/files/0x0006000000022e2e-105.dat family_berbew behavioral2/files/0x0006000000022e2e-104.dat family_berbew behavioral2/files/0x0006000000022e32-113.dat family_berbew behavioral2/files/0x0006000000022e32-112.dat family_berbew behavioral2/files/0x0006000000022e34-120.dat family_berbew behavioral2/files/0x0006000000022e34-121.dat family_berbew behavioral2/files/0x0006000000022e36-129.dat family_berbew behavioral2/files/0x0006000000022e39-136.dat family_berbew behavioral2/files/0x0006000000022e39-137.dat family_berbew behavioral2/files/0x0006000000022e36-128.dat family_berbew behavioral2/files/0x0006000000022e3b-146.dat family_berbew behavioral2/files/0x0006000000022e3b-144.dat family_berbew behavioral2/files/0x0006000000022e3e-154.dat family_berbew behavioral2/files/0x0006000000022e3e-152.dat family_berbew behavioral2/files/0x0006000000022e40-161.dat family_berbew behavioral2/files/0x0006000000022e42-168.dat family_berbew behavioral2/files/0x0006000000022e42-169.dat family_berbew behavioral2/files/0x0006000000022e40-160.dat family_berbew behavioral2/files/0x0006000000022e44-176.dat family_berbew behavioral2/files/0x0006000000022e48-193.dat family_berbew behavioral2/files/0x0006000000022e4a-200.dat family_berbew behavioral2/files/0x0006000000022e4c-209.dat family_berbew behavioral2/files/0x0006000000022e50-217.dat family_berbew behavioral2/files/0x0006000000022e50-216.dat family_berbew behavioral2/files/0x0006000000022e4c-208.dat family_berbew behavioral2/files/0x0006000000022e52-226.dat family_berbew behavioral2/files/0x0006000000022e54-232.dat family_berbew behavioral2/files/0x0006000000022e52-224.dat family_berbew behavioral2/files/0x0006000000022e4a-201.dat family_berbew behavioral2/files/0x0006000000022e48-192.dat family_berbew behavioral2/files/0x0006000000022e54-234.dat family_berbew behavioral2/files/0x0006000000022e46-185.dat family_berbew behavioral2/files/0x0006000000022e46-184.dat family_berbew behavioral2/files/0x0006000000022e44-177.dat family_berbew behavioral2/files/0x0006000000022e56-240.dat family_berbew behavioral2/files/0x0006000000022e56-242.dat family_berbew behavioral2/files/0x0006000000022e59-249.dat family_berbew behavioral2/files/0x0006000000022e59-248.dat family_berbew behavioral2/files/0x0006000000022e5b-256.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1516 Hcpojd32.exe 4028 Hpcodihc.exe 348 Hildmn32.exe 640 Icdheded.exe 2268 Idfaefkd.exe 4536 Ilafiihp.exe 632 Ikbfgppo.exe 1264 Jpaleglc.exe 4204 Jlkipgpe.exe 780 Jjoiil32.exe 3888 Jjafok32.exe 860 Kkpbin32.exe 2996 Kggcnoic.exe 4508 Kjhloj32.exe 2744 Kdmqmc32.exe 1360 Knfeeimj.exe 3320 Kjmfjj32.exe 4720 Kdbjhbbd.exe 2600 Lqkgbcff.exe 2392 Lmbhgd32.exe 2852 Lkchelci.exe 1052 Lcnmin32.exe 4200 Lmgabcge.exe 2868 Mglfplgk.exe 3028 Madjhb32.exe 3800 Mjmoag32.exe 4416 Mkmkkjko.exe 2028 Meepdp32.exe 4104 Mnpabe32.exe 4828 Napjdpcn.exe 1996 Nmigoagp.exe 1256 Nhokljge.exe 1796 Nmnqjp32.exe 4196 Onnmdcjm.exe 1780 Ojdnid32.exe 4868 Oanfen32.exe 2284 Ojgjndno.exe 1048 Olfghg32.exe 2752 Odalmibl.exe 1612 Oogpjbbb.exe 4400 Pddhbipj.exe 2756 Pknqoc32.exe 2108 Pdfehh32.exe 2592 Poliea32.exe 1636 Pmaffnce.exe 2668 Plbfdekd.exe 4732 Phigif32.exe 4316 Qemhbj32.exe 3964 Qkipkani.exe 4112 Aogiap32.exe 2308 Aknifq32.exe 1648 Aednci32.exe 3396 Aefjii32.exe 3608 Anaomkdb.exe 3192 Albpkc32.exe 212 Adndoe32.exe 8 Bemqih32.exe 4768 Bkjiao32.exe 3540 Bdbnjdfg.exe 4060 Bhpfqcln.exe 2748 Bedgjgkg.exe 4332 Bnoknihb.exe 2740 Bheplb32.exe 4036 Camddhoi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ddfikaeq.exe Dahmoefm.exe File opened for modification C:\Windows\SysWOW64\Dcalae32.exe Qpikao32.exe File created C:\Windows\SysWOW64\Miaica32.exe Mbhafgpp.exe File created C:\Windows\SysWOW64\Klmane32.dll Jjmcghjj.exe File created C:\Windows\SysWOW64\Mjmoag32.exe Madjhb32.exe File created C:\Windows\SysWOW64\Nceefd32.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Iqipcd32.exe Iklgkmop.exe File created C:\Windows\SysWOW64\Ajjjjghg.exe Ahinbo32.exe File opened for modification C:\Windows\SysWOW64\Dbllkohi.exe Dkedjbgg.exe File created C:\Windows\SysWOW64\Lqkqhm32.exe Ljqhkckn.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Phajna32.exe File created C:\Windows\SysWOW64\Cpihmmdo.exe Cjmpeffh.exe File opened for modification C:\Windows\SysWOW64\Mllccpfj.exe Mebkge32.exe File created C:\Windows\SysWOW64\Flpbnh32.exe Epehnhbj.exe File created C:\Windows\SysWOW64\Bqnemp32.exe Bjcmpepm.exe File created C:\Windows\SysWOW64\Oanfen32.exe Ojdnid32.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Mnhdgpii.exe File created C:\Windows\SysWOW64\Kbqceofn.dll Bgkiaj32.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Qgkeep32.exe Qleahgff.exe File created C:\Windows\SysWOW64\Ojgjhicl.exe Odmbkolo.exe File created C:\Windows\SysWOW64\Pqdqopcm.dll Aichng32.exe File created C:\Windows\SysWOW64\Mkkohp32.dll Galcjkmj.exe File opened for modification C:\Windows\SysWOW64\Inhgaipf.exe Ihknibbo.exe File created C:\Windows\SysWOW64\Dqmjqb32.exe Dnondf32.exe File created C:\Windows\SysWOW64\Plbfdekd.exe Pmaffnce.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Ngndaccj.exe File created C:\Windows\SysWOW64\Kkjfda32.dll Hlogfd32.exe File created C:\Windows\SysWOW64\Meepdp32.exe Mkmkkjko.exe File created C:\Windows\SysWOW64\Habeni32.exe Nnbfjf32.exe File opened for modification C:\Windows\SysWOW64\Mplapkoj.exe Miaica32.exe File created C:\Windows\SysWOW64\Apfggm32.dll Oiglen32.exe File created C:\Windows\SysWOW64\Embkhn32.exe Ehecpgbi.exe File opened for modification C:\Windows\SysWOW64\Nhokljge.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Ddjmba32.exe Domdjj32.exe File created C:\Windows\SysWOW64\Cmanfl32.dll Klfjbpmn.exe File opened for modification C:\Windows\SysWOW64\Lehhqg32.exe Llpchaqg.exe File created C:\Windows\SysWOW64\Jabdjc32.dll Jjoiil32.exe File created C:\Windows\SysWOW64\Bafehe32.dll Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Pagbaglh.exe Paeelgnj.exe File opened for modification C:\Windows\SysWOW64\Hnjaonij.exe Hgpibdam.exe File created C:\Windows\SysWOW64\Aghaqkii.dll Hgpibdam.exe File created C:\Windows\SysWOW64\Kmkdjo32.dll Nclbpf32.exe File created C:\Windows\SysWOW64\Jfkehk32.exe Ifglmlol.exe File created C:\Windows\SysWOW64\Ccdncaoc.dll Gngnjk32.exe File created C:\Windows\SysWOW64\Cjaiac32.exe Ceeaim32.exe File created C:\Windows\SysWOW64\Gpnfge32.exe Fbjena32.exe File created C:\Windows\SysWOW64\Eipigqop.exe Efamkepl.exe File opened for modification C:\Windows\SysWOW64\Fpeapilo.exe Fkihgb32.exe File created C:\Windows\SysWOW64\Nqjgbadl.dll Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe Meepdp32.exe File created C:\Windows\SysWOW64\Bemqih32.exe Adndoe32.exe File created C:\Windows\SysWOW64\Mfjddb32.dll Nnbfjf32.exe File created C:\Windows\SysWOW64\Naecieef.exe Njkklk32.exe File opened for modification C:\Windows\SysWOW64\Hcpojd32.exe NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe File created C:\Windows\SysWOW64\Anaomkdb.exe Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Ppffec32.exe Ppdjpcng.exe File created C:\Windows\SysWOW64\Koaagkcb.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Kjcjmclj.exe Kidmcqeg.exe File created C:\Windows\SysWOW64\Iigkkjhk.dll Ohgokknb.exe File created C:\Windows\SysWOW64\Galdglpd.dll Glgcbf32.exe File created C:\Windows\SysWOW64\Ddpeigle.exe Dboiaoff.exe File created C:\Windows\SysWOW64\Lemjlcgo.exe Locbpi32.exe File opened for modification C:\Windows\SysWOW64\Faemjl32.exe Fkkemble.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdmmg32.dll" Omlkmign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpjffh.dll" Ijadljdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaliidon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpkakak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndagao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckpja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adpogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njploeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfckenm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olfghg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdgnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnocakfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidmcqeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npgalidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjaam32.dll" Eoagdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhlpnfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppffec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmanfl32.dll" Klfjbpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll" Ljceqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igbhpned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmpgfhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpfqcln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmhaold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogpi32.dll" Mfoclflo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plcdbghi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Kggcnoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiamm32.dll" Omjnhiiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll" Qmeigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdclbd32.dll" Ahinbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajfbmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcodihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heckkb32.dll" Nmpkakak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdgejmdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaflcjf.dll" Ogklob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjnkkjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beaeca32.dll" Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbgipmn.dll" Pjcbkbnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgoik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagahnob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Digehphc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpmdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idieob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dboiaoff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopjchnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" Bedgjgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgibpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaenbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nooikj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncfdbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpkhp32.dll" Cifmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakodpe.dll" Dpckclld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 676 wrote to memory of 1516 676 NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe 87 PID 676 wrote to memory of 1516 676 NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe 87 PID 676 wrote to memory of 1516 676 NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe 87 PID 1516 wrote to memory of 4028 1516 Hcpojd32.exe 88 PID 1516 wrote to memory of 4028 1516 Hcpojd32.exe 88 PID 1516 wrote to memory of 4028 1516 Hcpojd32.exe 88 PID 4028 wrote to memory of 348 4028 Hpcodihc.exe 89 PID 4028 wrote to memory of 348 4028 Hpcodihc.exe 89 PID 4028 wrote to memory of 348 4028 Hpcodihc.exe 89 PID 348 wrote to memory of 640 348 Hildmn32.exe 90 PID 348 wrote to memory of 640 348 Hildmn32.exe 90 PID 348 wrote to memory of 640 348 Hildmn32.exe 90 PID 640 wrote to memory of 2268 640 Icdheded.exe 91 PID 640 wrote to memory of 2268 640 Icdheded.exe 91 PID 640 wrote to memory of 2268 640 Icdheded.exe 91 PID 2268 wrote to memory of 4536 2268 Idfaefkd.exe 92 PID 2268 wrote to memory of 4536 2268 Idfaefkd.exe 92 PID 2268 wrote to memory of 4536 2268 Idfaefkd.exe 92 PID 4536 wrote to memory of 632 4536 Ilafiihp.exe 93 PID 4536 wrote to memory of 632 4536 Ilafiihp.exe 93 PID 4536 wrote to memory of 632 4536 Ilafiihp.exe 93 PID 632 wrote to memory of 1264 632 Ikbfgppo.exe 95 PID 632 wrote to memory of 1264 632 Ikbfgppo.exe 95 PID 632 wrote to memory of 1264 632 Ikbfgppo.exe 95 PID 1264 wrote to memory of 4204 1264 Jpaleglc.exe 96 PID 1264 wrote to memory of 4204 1264 Jpaleglc.exe 96 PID 1264 wrote to memory of 4204 1264 Jpaleglc.exe 96 PID 4204 wrote to memory of 780 4204 Jlkipgpe.exe 97 PID 4204 wrote to memory of 780 4204 Jlkipgpe.exe 97 PID 4204 wrote to memory of 780 4204 Jlkipgpe.exe 97 PID 780 wrote to memory of 3888 780 Jjoiil32.exe 98 PID 780 wrote to memory of 3888 780 Jjoiil32.exe 98 PID 780 wrote to memory of 3888 780 Jjoiil32.exe 98 PID 3888 wrote to memory of 860 3888 Jjafok32.exe 99 PID 3888 wrote to memory of 860 3888 Jjafok32.exe 99 PID 3888 wrote to memory of 860 3888 Jjafok32.exe 99 PID 860 wrote to memory of 2996 860 Kkpbin32.exe 100 PID 860 wrote to memory of 2996 860 Kkpbin32.exe 100 PID 860 wrote to memory of 2996 860 Kkpbin32.exe 100 PID 2996 wrote to memory of 4508 2996 Kggcnoic.exe 101 PID 2996 wrote to memory of 4508 2996 Kggcnoic.exe 101 PID 2996 wrote to memory of 4508 2996 Kggcnoic.exe 101 PID 4508 wrote to memory of 2744 4508 Kjhloj32.exe 102 PID 4508 wrote to memory of 2744 4508 Kjhloj32.exe 102 PID 4508 wrote to memory of 2744 4508 Kjhloj32.exe 102 PID 2744 wrote to memory of 1360 2744 Kdmqmc32.exe 103 PID 2744 wrote to memory of 1360 2744 Kdmqmc32.exe 103 PID 2744 wrote to memory of 1360 2744 Kdmqmc32.exe 103 PID 1360 wrote to memory of 3320 1360 Knfeeimj.exe 104 PID 1360 wrote to memory of 3320 1360 Knfeeimj.exe 104 PID 1360 wrote to memory of 3320 1360 Knfeeimj.exe 104 PID 3320 wrote to memory of 4720 3320 Kjmfjj32.exe 105 PID 3320 wrote to memory of 4720 3320 Kjmfjj32.exe 105 PID 3320 wrote to memory of 4720 3320 Kjmfjj32.exe 105 PID 4720 wrote to memory of 2600 4720 Kdbjhbbd.exe 107 PID 4720 wrote to memory of 2600 4720 Kdbjhbbd.exe 107 PID 4720 wrote to memory of 2600 4720 Kdbjhbbd.exe 107 PID 2600 wrote to memory of 2392 2600 Lqkgbcff.exe 108 PID 2600 wrote to memory of 2392 2600 Lqkgbcff.exe 108 PID 2600 wrote to memory of 2392 2600 Lqkgbcff.exe 108 PID 2392 wrote to memory of 2852 2392 Lmbhgd32.exe 118 PID 2392 wrote to memory of 2852 2392 Lmbhgd32.exe 118 PID 2392 wrote to memory of 2852 2392 Lmbhgd32.exe 118 PID 2852 wrote to memory of 1052 2852 Lkchelci.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.74dc6b22f5285e4bede8f3f0e0876d20.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Kjmfjj32.exeC:\Windows\system32\Kjmfjj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe1⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4200
-
-
C:\Windows\SysWOW64\Mglfplgk.exeC:\Windows\system32\Mglfplgk.exe1⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028
-
-
C:\Windows\SysWOW64\Mkmkkjko.exeC:\Windows\system32\Mkmkkjko.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4416 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe3⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe6⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe7⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe8⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Oanfen32.exeC:\Windows\system32\Oanfen32.exe10⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ojgjndno.exeC:\Windows\system32\Ojgjndno.exe11⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe12⤵
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe13⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Oogpjbbb.exeC:\Windows\system32\Oogpjbbb.exe14⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe16⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe17⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe18⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pmaffnce.exeC:\Windows\system32\Pmaffnce.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe21⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe22⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe23⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Aogiap32.exeC:\Windows\system32\Aogiap32.exe24⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe25⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe28⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe29⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:212 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe31⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe33⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe36⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe37⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe38⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Cbpajgmf.exeC:\Windows\system32\Cbpajgmf.exe39⤵PID:2476
-
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe40⤵PID:2972
-
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe41⤵PID:2564
-
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe42⤵PID:3940
-
C:\Windows\SysWOW64\Dnmhpg32.exeC:\Windows\system32\Dnmhpg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4260 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe44⤵PID:4328
-
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe45⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe46⤵PID:1440
-
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe47⤵PID:1904
-
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe48⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe49⤵PID:4916
-
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe50⤵PID:1284
-
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe51⤵PID:1116
-
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe52⤵PID:4848
-
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe53⤵
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe54⤵PID:2988
-
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe55⤵PID:1980
-
C:\Windows\SysWOW64\Ekodjiol.exeC:\Windows\system32\Ekodjiol.exe56⤵PID:5152
-
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe57⤵PID:5200
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe58⤵PID:5244
-
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe59⤵PID:5308
-
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe60⤵PID:5376
-
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe61⤵PID:5428
-
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe62⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe63⤵PID:5536
-
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe64⤵PID:5592
-
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe65⤵PID:5644
-
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe66⤵PID:5700
-
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe67⤵PID:5756
-
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe68⤵PID:5812
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe69⤵PID:5864
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe70⤵PID:5912
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe71⤵
- Drops file in System32 directory
PID:5960 -
C:\Windows\SysWOW64\Gpnfge32.exeC:\Windows\system32\Gpnfge32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe73⤵PID:6052
-
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe74⤵PID:6104
-
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe75⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe76⤵PID:5208
-
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe77⤵PID:5296
-
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe78⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe79⤵PID:5464
-
C:\Windows\SysWOW64\Gmimai32.exeC:\Windows\system32\Gmimai32.exe80⤵PID:5576
-
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe81⤵PID:5680
-
C:\Windows\SysWOW64\Hipmfjee.exeC:\Windows\system32\Hipmfjee.exe82⤵PID:5752
-
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe83⤵PID:5840
-
C:\Windows\SysWOW64\Hefnkkkj.exeC:\Windows\system32\Hefnkkkj.exe84⤵PID:5928
-
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe85⤵PID:5992
-
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe86⤵PID:6096
-
C:\Windows\SysWOW64\Hblkjo32.exeC:\Windows\system32\Hblkjo32.exe87⤵PID:5180
-
C:\Windows\SysWOW64\Hmbphg32.exeC:\Windows\system32\Hmbphg32.exe88⤵PID:5260
-
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe89⤵PID:5456
-
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe90⤵PID:5584
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe91⤵PID:5744
-
C:\Windows\SysWOW64\Iepaaico.exeC:\Windows\system32\Iepaaico.exe92⤵PID:5876
-
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe93⤵PID:5980
-
C:\Windows\SysWOW64\Iebngial.exeC:\Windows\system32\Iebngial.exe94⤵PID:6140
-
C:\Windows\SysWOW64\Iojbpo32.exeC:\Windows\system32\Iojbpo32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe96⤵PID:5524
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5740 -
C:\Windows\SysWOW64\Iibccgep.exeC:\Windows\system32\Iibccgep.exe98⤵PID:5952
-
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe99⤵PID:5272
-
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe100⤵PID:5404
-
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe101⤵PID:3376
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe102⤵PID:6112
-
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe103⤵PID:6136
-
C:\Windows\SysWOW64\Jnlkedai.exeC:\Windows\system32\Jnlkedai.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:868 -
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe105⤵PID:6152
-
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe106⤵PID:6212
-
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe107⤵PID:6268
-
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe108⤵
- Drops file in System32 directory
PID:6308 -
C:\Windows\SysWOW64\Koaagkcb.exeC:\Windows\system32\Koaagkcb.exe109⤵PID:6356
-
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe110⤵PID:6404
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe111⤵PID:6444
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6496 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6536 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe114⤵PID:6584
-
C:\Windows\SysWOW64\Lfbped32.exeC:\Windows\system32\Lfbped32.exe115⤵PID:6624
-
C:\Windows\SysWOW64\Llmhaold.exeC:\Windows\system32\Llmhaold.exe116⤵
- Modifies registry class
PID:6668 -
C:\Windows\SysWOW64\Ljqhkckn.exeC:\Windows\system32\Ljqhkckn.exe117⤵
- Drops file in System32 directory
PID:6712 -
C:\Windows\SysWOW64\Lqkqhm32.exeC:\Windows\system32\Lqkqhm32.exe118⤵PID:6764
-
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe119⤵
- Modifies registry class
PID:6808 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe120⤵PID:6852
-
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe121⤵
- Modifies registry class
PID:6896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-