Analysis
-
max time kernel
187s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 20:47
Behavioral task
behavioral1
Sample
NEAS.2bf8b060d979373829a52bec981cbe50.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2bf8b060d979373829a52bec981cbe50.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.2bf8b060d979373829a52bec981cbe50.exe
-
Size
151KB
-
MD5
2bf8b060d979373829a52bec981cbe50
-
SHA1
d28f59b268e2877bdcb9d72e983e685ed1e8556b
-
SHA256
bd755fbd6be03ec955f630ba36949d24d07308a82bc4aaeb6f1201f63399b46d
-
SHA512
cda37430b3ef2ff2f5601ad369049c4864f0152cf978c590b8f880240df0133bafb380264d9082acd6015600bd1e19a98fbf0717c6874186c55a43ffd845bd72
-
SSDEEP
3072:OOqkneN1EGKQvTxsew9ZJZ9VSUrhZw795SkKF:OY8EGDTueuZJhBG95
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oilgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghcdpjqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjbdfbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjefmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplofekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpahad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfakg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bklaepbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibpjaagi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbqpgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclmlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljfeimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Memonbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaegbmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigpdjpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoqbpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikaijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfjglppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklikj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hngbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Milagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Occgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fppaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmaphdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqhhin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkjadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkkjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llnhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmcimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmaghc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqodho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efhqmadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffiebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megkgpaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljdgqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjehlldb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhiiepcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdhlphff.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2300-0-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0008000000012023-5.dat family_berbew behavioral1/memory/2300-6-0x0000000000260000-0x00000000002A5000-memory.dmp family_berbew behavioral1/files/0x0008000000012023-9.dat family_berbew behavioral1/memory/1308-18-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0008000000012023-12.dat family_berbew behavioral1/files/0x0008000000012023-13.dat family_berbew behavioral1/files/0x0008000000012023-8.dat family_berbew behavioral1/memory/2864-32-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x001b000000015ea6-27.dat family_berbew behavioral1/files/0x001b000000015ea6-26.dat family_berbew behavioral1/files/0x0007000000016594-33.dat family_berbew behavioral1/files/0x00090000000167f0-52.dat family_berbew behavioral1/files/0x00090000000167f0-49.dat family_berbew behavioral1/files/0x00090000000167f0-48.dat family_berbew behavioral1/files/0x00090000000167f0-46.dat family_berbew behavioral1/memory/2412-45-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0007000000016594-40.dat family_berbew behavioral1/files/0x0007000000016594-39.dat family_berbew behavioral1/files/0x0007000000016594-36.dat family_berbew behavioral1/files/0x0007000000016594-35.dat family_berbew behavioral1/files/0x001b000000015ea6-22.dat family_berbew behavioral1/files/0x001b000000015ea6-21.dat family_berbew behavioral1/files/0x001b000000015ea6-19.dat family_berbew behavioral1/files/0x0007000000016c2f-62.dat family_berbew behavioral1/files/0x0007000000016c2f-61.dat family_berbew behavioral1/files/0x0007000000016c2f-59.dat family_berbew behavioral1/memory/2516-57-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00090000000167f0-53.dat family_berbew behavioral1/memory/2516-67-0x0000000000280000-0x00000000002C5000-memory.dmp family_berbew behavioral1/files/0x0007000000016c2f-66.dat family_berbew behavioral1/files/0x0007000000016c2f-65.dat family_berbew behavioral1/memory/2372-72-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016cb7-79.dat family_berbew behavioral1/files/0x0006000000016cb7-76.dat family_berbew behavioral1/files/0x0006000000016cb7-75.dat family_berbew behavioral1/files/0x0006000000016cb7-73.dat family_berbew behavioral1/memory/2744-81-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016cb7-80.dat family_berbew behavioral1/files/0x0006000000016ce1-86.dat family_berbew behavioral1/files/0x0006000000016ce1-89.dat family_berbew behavioral1/files/0x0006000000016ce1-88.dat family_berbew behavioral1/memory/2896-94-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce1-92.dat family_berbew behavioral1/files/0x0006000000016ce1-93.dat family_berbew behavioral1/files/0x0006000000016cf2-102.dat family_berbew behavioral1/files/0x0006000000016cf2-101.dat family_berbew behavioral1/files/0x0006000000016cf2-99.dat family_berbew behavioral1/files/0x0006000000016cf2-106.dat family_berbew behavioral1/files/0x0006000000016cf2-105.dat family_berbew behavioral1/memory/1488-107-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016d04-112.dat family_berbew behavioral1/files/0x0006000000016d04-114.dat family_berbew behavioral1/files/0x0006000000016d04-115.dat family_berbew behavioral1/memory/2724-119-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016d04-120.dat family_berbew behavioral1/files/0x0006000000016d04-118.dat family_berbew behavioral1/files/0x0006000000016d34-125.dat family_berbew behavioral1/files/0x0006000000016d34-128.dat family_berbew behavioral1/memory/2724-127-0x00000000002C0000-0x0000000000305000-memory.dmp family_berbew behavioral1/files/0x0006000000016d34-131.dat family_berbew behavioral1/files/0x0006000000016d34-132.dat family_berbew behavioral1/files/0x0006000000016d34-133.dat family_berbew behavioral1/files/0x0006000000016d53-138.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1308 Popgboae.exe 2864 Anogijnb.exe 2412 Adipfd32.exe 2516 Alddjg32.exe 2372 Blfapfpg.exe 2744 Bjjaikoa.exe 2896 Bknjfb32.exe 1488 Bolcma32.exe 2724 Bkbdabog.exe 592 Cgidfcdk.exe 1288 Cmfmojcb.exe 760 Cjjnhnbl.exe 2956 Ciokijfd.exe 1628 Cbgobp32.exe 2900 Dpnladjl.exe 904 Dkdmfe32.exe 2384 Dihmpinj.exe 1944 Djjjga32.exe 1780 Deondj32.exe 2236 Dmkcil32.exe 900 Dhpgfeao.exe 1544 Dmmpolof.exe 588 Dhbdleol.exe 2492 Efhqmadd.exe 1504 Efjmbaba.exe 2108 Ebqngb32.exe 1600 Eafkhn32.exe 2644 Eojlbb32.exe 2844 Fefqdl32.exe 1216 Fkcilc32.exe 2528 Fppaej32.exe 3052 Faonom32.exe 2800 Fkhbgbkc.exe 1928 Fdpgph32.exe 1968 Gmhkin32.exe 2584 Gcedad32.exe 2728 Ghbljk32.exe 984 Gpidki32.exe 2872 Giaidnkf.exe 2960 Gkcekfad.exe 1620 Gdkjdl32.exe 2200 Gncnmane.exe 3048 Gdnfjl32.exe 1340 Gaagcpdl.exe 2416 Hhkopj32.exe 1740 Hjmlhbbg.exe 1108 Hgqlafap.exe 956 Hddmjk32.exe 1284 Hnmacpfj.exe 2276 Hifbdnbi.exe 888 Hqnjek32.exe 2176 Hiioin32.exe 2320 Iocgfhhc.exe 2660 Ibacbcgg.exe 2820 Ikjhki32.exe 2540 Iebldo32.exe 1680 Iogpag32.exe 2856 Ibfmmb32.exe 2908 Iipejmko.exe 632 Lklikj32.exe 1036 Obmpgjbb.exe 1088 Maldfbjn.exe 2920 Ahpddmia.exe 272 Ammmlcgi.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 1308 Popgboae.exe 1308 Popgboae.exe 2864 Anogijnb.exe 2864 Anogijnb.exe 2412 Adipfd32.exe 2412 Adipfd32.exe 2516 Alddjg32.exe 2516 Alddjg32.exe 2372 Blfapfpg.exe 2372 Blfapfpg.exe 2744 Bjjaikoa.exe 2744 Bjjaikoa.exe 2896 Bknjfb32.exe 2896 Bknjfb32.exe 1488 Bolcma32.exe 1488 Bolcma32.exe 2724 Bkbdabog.exe 2724 Bkbdabog.exe 592 Cgidfcdk.exe 592 Cgidfcdk.exe 1288 Cmfmojcb.exe 1288 Cmfmojcb.exe 760 Cjjnhnbl.exe 760 Cjjnhnbl.exe 2956 Ciokijfd.exe 2956 Ciokijfd.exe 1628 Cbgobp32.exe 1628 Cbgobp32.exe 2900 Dpnladjl.exe 2900 Dpnladjl.exe 904 Dkdmfe32.exe 904 Dkdmfe32.exe 2384 Dihmpinj.exe 2384 Dihmpinj.exe 1944 Djjjga32.exe 1944 Djjjga32.exe 1780 Deondj32.exe 1780 Deondj32.exe 2236 Dmkcil32.exe 2236 Dmkcil32.exe 900 Dhpgfeao.exe 900 Dhpgfeao.exe 1544 Dmmpolof.exe 1544 Dmmpolof.exe 588 Dhbdleol.exe 588 Dhbdleol.exe 2492 Efhqmadd.exe 2492 Efhqmadd.exe 1504 Efjmbaba.exe 1504 Efjmbaba.exe 2108 Ebqngb32.exe 2108 Ebqngb32.exe 1600 Eafkhn32.exe 1600 Eafkhn32.exe 2644 Eojlbb32.exe 2644 Eojlbb32.exe 2844 Fefqdl32.exe 2844 Fefqdl32.exe 1216 Fkcilc32.exe 1216 Fkcilc32.exe 2528 Fppaej32.exe 2528 Fppaej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cdnicemo.exe Cclmlm32.exe File created C:\Windows\SysWOW64\Hifbdnbi.exe Hnmacpfj.exe File created C:\Windows\SysWOW64\Gleegkpg.dll Apgnpo32.exe File created C:\Windows\SysWOW64\Jccjek32.dll Gmipmlan.exe File created C:\Windows\SysWOW64\Hjaiaolb.exe Ghcmedmo.exe File created C:\Windows\SysWOW64\Keehmobp.exe Jlmddi32.exe File opened for modification C:\Windows\SysWOW64\Kicednho.exe Kbjmhd32.exe File opened for modification C:\Windows\SysWOW64\Gnhlgoia.exe Gfadeaho.exe File created C:\Windows\SysWOW64\Gaiehjfb.exe Gfcqkafl.exe File opened for modification C:\Windows\SysWOW64\Hjdfgojp.exe Hpnbjfjj.exe File opened for modification C:\Windows\SysWOW64\Lkjadh32.exe Lepihndm.exe File opened for modification C:\Windows\SysWOW64\Ecnpdnho.exe Ejcofica.exe File opened for modification C:\Windows\SysWOW64\Gpaikiig.exe Gmcmomjc.exe File created C:\Windows\SysWOW64\Ifngiqlg.exe Iackhb32.exe File created C:\Windows\SysWOW64\Gdgbhe32.dll Boohgk32.exe File opened for modification C:\Windows\SysWOW64\Jmbnhm32.exe Jfiekc32.exe File opened for modification C:\Windows\SysWOW64\Fcfojhhh.exe Fnifbaja.exe File opened for modification C:\Windows\SysWOW64\Goicaell.exe Gljfeimi.exe File created C:\Windows\SysWOW64\Ckjnfobi.exe Cemfnh32.exe File created C:\Windows\SysWOW64\Ffahgn32.exe Fcckjb32.exe File created C:\Windows\SysWOW64\Jhabfbal.dll Hfjglppd.exe File created C:\Windows\SysWOW64\Cgcfia32.dll Ieelnkpd.exe File opened for modification C:\Windows\SysWOW64\Bpahad32.exe Bigpdjpm.exe File opened for modification C:\Windows\SysWOW64\Mgbeqjpd.exe Meaiia32.exe File opened for modification C:\Windows\SysWOW64\Dfmbmkgm.exe Dcofqphi.exe File created C:\Windows\SysWOW64\Hmbbcjic.exe Hjdfgojp.exe File opened for modification C:\Windows\SysWOW64\Jkhhpeka.exe Jdnpck32.exe File created C:\Windows\SysWOW64\Mllqfhgm.dll Kbedmedg.exe File opened for modification C:\Windows\SysWOW64\Fcichb32.exe Fbhfajia.exe File created C:\Windows\SysWOW64\Mfgpckkm.dll Bimbbhgh.exe File created C:\Windows\SysWOW64\Nlnlqk32.dll Gekhgh32.exe File created C:\Windows\SysWOW64\Hqbnnj32.exe Hndaao32.exe File opened for modification C:\Windows\SysWOW64\Hngbhp32.exe Hhkjpi32.exe File opened for modification C:\Windows\SysWOW64\Lbibla32.exe Llojpghe.exe File opened for modification C:\Windows\SysWOW64\Jmqckf32.exe Aabfqp32.exe File created C:\Windows\SysWOW64\Qhjdoo32.dll Kbajci32.exe File created C:\Windows\SysWOW64\Enjcfm32.exe Eklgjbca.exe File opened for modification C:\Windows\SysWOW64\Glefpd32.exe Gekncjfe.exe File created C:\Windows\SysWOW64\Nodikecl.exe Nlfmoidh.exe File created C:\Windows\SysWOW64\Adipfd32.exe Anogijnb.exe File opened for modification C:\Windows\SysWOW64\Iijbnkne.exe Ibpjaagi.exe File created C:\Windows\SysWOW64\Edqbhk32.dll Glmckikf.exe File created C:\Windows\SysWOW64\Dhknigfq.exe Dfmbmkgm.exe File opened for modification C:\Windows\SysWOW64\Mlljiklc.exe Minnmomo.exe File created C:\Windows\SysWOW64\Lgodiaaa.dll Megkgpaq.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gncnmane.exe File opened for modification C:\Windows\SysWOW64\Appbcn32.exe Aejnfe32.exe File created C:\Windows\SysWOW64\Cgfjjigo.dll Nlpmjdce.exe File opened for modification C:\Windows\SysWOW64\Jcpglhpo.exe Jqakompl.exe File opened for modification C:\Windows\SysWOW64\Egedebgc.exe Edghighp.exe File created C:\Windows\SysWOW64\Hipkfkgh.exe Hhnnnbaj.exe File opened for modification C:\Windows\SysWOW64\Jbdokceo.exe Jljgni32.exe File created C:\Windows\SysWOW64\Dgmfbf32.dll Ahjcqcdm.exe File created C:\Windows\SysWOW64\Kgjhdgmm.dll Eelinm32.exe File opened for modification C:\Windows\SysWOW64\Ifljcanj.exe Icnngeof.exe File opened for modification C:\Windows\SysWOW64\Amalcd32.exe Afhcgjkq.exe File opened for modification C:\Windows\SysWOW64\Afjplj32.exe Apphpp32.exe File opened for modification C:\Windows\SysWOW64\Dhpgfeao.exe Dmkcil32.exe File opened for modification C:\Windows\SysWOW64\Hcdkagga.exe Hacoio32.exe File created C:\Windows\SysWOW64\Napibq32.exe Nlcpjj32.exe File opened for modification C:\Windows\SysWOW64\Coladm32.exe Clnehado.exe File opened for modification C:\Windows\SysWOW64\Pojdem32.exe Ihilqi32.exe File created C:\Windows\SysWOW64\Nnfgnibb.exe Nhjofbdk.exe File created C:\Windows\SysWOW64\Coapim32.dll Jlnadiko.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Micnbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nglhghgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpjboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pinchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmidng32.dll" NEAS.2bf8b060d979373829a52bec981cbe50.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmqckf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmomelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahknna.dll" Aibfik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbgobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmpolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgqlafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oilgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmoehh32.dll" Ffmnloih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibpjaagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llnhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdmpe32.dll" Gcankb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcmpjfqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjmfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkjadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oilgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gleqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbagaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejmjh32.dll" Nodikecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkdmfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmaghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eiimci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blocad32.dll" Andlmnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfliqmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnbelong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmghda.dll" Ajfcgoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajfcgoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmmbpjh.dll" Fgmaphdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhhkhlk.dll" Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccmkee.dll" Glefpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knmjmodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piondi32.dll" Ghagjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkablj32.dll" Keehmobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahjcqcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhfncqb.dll" Nknmplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgpjpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocpakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lomdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngaehiok.dll" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkhid32.dll" Cbhcankf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnbeacbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imldmnjj.dll" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgkaakf.dll" Lljolodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbjmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmcimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aanjeokl.dll" Fjpbeecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmjmk32.dll" Ifljcanj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1308 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 28 PID 2300 wrote to memory of 1308 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 28 PID 2300 wrote to memory of 1308 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 28 PID 2300 wrote to memory of 1308 2300 NEAS.2bf8b060d979373829a52bec981cbe50.exe 28 PID 1308 wrote to memory of 2864 1308 Popgboae.exe 30 PID 1308 wrote to memory of 2864 1308 Popgboae.exe 30 PID 1308 wrote to memory of 2864 1308 Popgboae.exe 30 PID 1308 wrote to memory of 2864 1308 Popgboae.exe 30 PID 2864 wrote to memory of 2412 2864 Anogijnb.exe 31 PID 2864 wrote to memory of 2412 2864 Anogijnb.exe 31 PID 2864 wrote to memory of 2412 2864 Anogijnb.exe 31 PID 2864 wrote to memory of 2412 2864 Anogijnb.exe 31 PID 2412 wrote to memory of 2516 2412 Adipfd32.exe 32 PID 2412 wrote to memory of 2516 2412 Adipfd32.exe 32 PID 2412 wrote to memory of 2516 2412 Adipfd32.exe 32 PID 2412 wrote to memory of 2516 2412 Adipfd32.exe 32 PID 2516 wrote to memory of 2372 2516 Alddjg32.exe 33 PID 2516 wrote to memory of 2372 2516 Alddjg32.exe 33 PID 2516 wrote to memory of 2372 2516 Alddjg32.exe 33 PID 2516 wrote to memory of 2372 2516 Alddjg32.exe 33 PID 2372 wrote to memory of 2744 2372 Blfapfpg.exe 34 PID 2372 wrote to memory of 2744 2372 Blfapfpg.exe 34 PID 2372 wrote to memory of 2744 2372 Blfapfpg.exe 34 PID 2372 wrote to memory of 2744 2372 Blfapfpg.exe 34 PID 2744 wrote to memory of 2896 2744 Bjjaikoa.exe 35 PID 2744 wrote to memory of 2896 2744 Bjjaikoa.exe 35 PID 2744 wrote to memory of 2896 2744 Bjjaikoa.exe 35 PID 2744 wrote to memory of 2896 2744 Bjjaikoa.exe 35 PID 2896 wrote to memory of 1488 2896 Bknjfb32.exe 36 PID 2896 wrote to memory of 1488 2896 Bknjfb32.exe 36 PID 2896 wrote to memory of 1488 2896 Bknjfb32.exe 36 PID 2896 wrote to memory of 1488 2896 Bknjfb32.exe 36 PID 1488 wrote to memory of 2724 1488 Bolcma32.exe 37 PID 1488 wrote to memory of 2724 1488 Bolcma32.exe 37 PID 1488 wrote to memory of 2724 1488 Bolcma32.exe 37 PID 1488 wrote to memory of 2724 1488 Bolcma32.exe 37 PID 2724 wrote to memory of 592 2724 Bkbdabog.exe 38 PID 2724 wrote to memory of 592 2724 Bkbdabog.exe 38 PID 2724 wrote to memory of 592 2724 Bkbdabog.exe 38 PID 2724 wrote to memory of 592 2724 Bkbdabog.exe 38 PID 592 wrote to memory of 1288 592 Cgidfcdk.exe 39 PID 592 wrote to memory of 1288 592 Cgidfcdk.exe 39 PID 592 wrote to memory of 1288 592 Cgidfcdk.exe 39 PID 592 wrote to memory of 1288 592 Cgidfcdk.exe 39 PID 1288 wrote to memory of 760 1288 Cmfmojcb.exe 40 PID 1288 wrote to memory of 760 1288 Cmfmojcb.exe 40 PID 1288 wrote to memory of 760 1288 Cmfmojcb.exe 40 PID 1288 wrote to memory of 760 1288 Cmfmojcb.exe 40 PID 760 wrote to memory of 2956 760 Cjjnhnbl.exe 41 PID 760 wrote to memory of 2956 760 Cjjnhnbl.exe 41 PID 760 wrote to memory of 2956 760 Cjjnhnbl.exe 41 PID 760 wrote to memory of 2956 760 Cjjnhnbl.exe 41 PID 2956 wrote to memory of 1628 2956 Ciokijfd.exe 42 PID 2956 wrote to memory of 1628 2956 Ciokijfd.exe 42 PID 2956 wrote to memory of 1628 2956 Ciokijfd.exe 42 PID 2956 wrote to memory of 1628 2956 Ciokijfd.exe 42 PID 1628 wrote to memory of 2900 1628 Cbgobp32.exe 43 PID 1628 wrote to memory of 2900 1628 Cbgobp32.exe 43 PID 1628 wrote to memory of 2900 1628 Cbgobp32.exe 43 PID 1628 wrote to memory of 2900 1628 Cbgobp32.exe 43 PID 2900 wrote to memory of 904 2900 Dpnladjl.exe 44 PID 2900 wrote to memory of 904 2900 Dpnladjl.exe 44 PID 2900 wrote to memory of 904 2900 Dpnladjl.exe 44 PID 2900 wrote to memory of 904 2900 Dpnladjl.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2bf8b060d979373829a52bec981cbe50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2bf8b060d979373829a52bec981cbe50.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Dihmpinj.exeC:\Windows\system32\Dihmpinj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Dmmpolof.exeC:\Windows\system32\Dmmpolof.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Fefqdl32.exeC:\Windows\system32\Fefqdl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe33⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe34⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe35⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe37⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe38⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe39⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe40⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe41⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe42⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe44⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe46⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe47⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe49⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Hnmacpfj.exeC:\Windows\system32\Hnmacpfj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe51⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe52⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe53⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe54⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe55⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe56⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe57⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe58⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe59⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe60⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe62⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe63⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe64⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe65⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Aicmadmm.exeC:\Windows\system32\Aicmadmm.exe66⤵PID:2404
-
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe67⤵PID:2992
-
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe68⤵PID:1664
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe69⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Appbcn32.exeC:\Windows\system32\Appbcn32.exe70⤵PID:776
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe71⤵PID:1392
-
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe72⤵PID:1732
-
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe73⤵PID:868
-
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe74⤵PID:1000
-
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe75⤵PID:2172
-
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe76⤵PID:2668
-
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe77⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe78⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe79⤵PID:1256
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe80⤵PID:1644
-
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe81⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe82⤵PID:780
-
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe83⤵PID:388
-
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe84⤵PID:1264
-
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe85⤵PID:2052
-
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe86⤵PID:828
-
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe87⤵PID:612
-
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe88⤵PID:1756
-
C:\Windows\SysWOW64\Ejcofica.exeC:\Windows\system32\Ejcofica.exe89⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe90⤵PID:3028
-
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe91⤵PID:812
-
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe92⤵PID:1516
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe93⤵PID:1596
-
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe94⤵PID:2816
-
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe95⤵PID:3056
-
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe96⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe97⤵PID:240
-
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe98⤵PID:1976
-
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe99⤵PID:2424
-
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe100⤵PID:1268
-
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe101⤵PID:2096
-
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe103⤵PID:1624
-
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe105⤵PID:1772
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe106⤵PID:1176
-
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe107⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe108⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe109⤵PID:2988
-
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe110⤵PID:2880
-
C:\Windows\SysWOW64\Hofjem32.exeC:\Windows\system32\Hofjem32.exe111⤵PID:2752
-
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe112⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe113⤵PID:1656
-
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe114⤵PID:464
-
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe115⤵PID:1040
-
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe116⤵PID:1172
-
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe117⤵PID:1956
-
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe118⤵PID:1336
-
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe119⤵PID:328
-
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe121⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-