Analysis
-
max time kernel
92s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 09:13
Behavioral task
behavioral1
Sample
NEAS.89f47c676ce7ac88e27f4b410f112240.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.89f47c676ce7ac88e27f4b410f112240.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.89f47c676ce7ac88e27f4b410f112240.exe
-
Size
227KB
-
MD5
89f47c676ce7ac88e27f4b410f112240
-
SHA1
9e501d4a947783f165edd9b700a5b8fc66062f03
-
SHA256
fba155c7fe6dcca0b82551cd3019c64a4a01ca54ba94e250143b30cef25b31da
-
SHA512
c85bcdbe074dbd3a990892a8c70ce4c4967c9994f58d1d28cad0f08aabdc565109a6b1fcbf15942bbd79b63d09084e7536ec20032449ca310ba9a5e06a5a1f76
-
SSDEEP
3072:6IpNtjNqnA4Em9Xio+5PE6D76Fa2T0YeyapwoTRBmDRGGurhUXvBj2QE2HegPelD:bNxNH2eT8m7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfgokap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnoocq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jempcgad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncfalqpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffghjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppmcmah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnbnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aioodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnhlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejadibmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ffenmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbhjkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibcphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmmlccfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebabicfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfbcidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqpmimbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinneo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohncdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jljeeqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcghajkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlbdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmkpnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilkpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pffgonbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnhbep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hahljg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehdnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfaocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mginjnnp.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00080000000120ed-5.dat family_berbew behavioral1/files/0x00080000000120ed-8.dat family_berbew behavioral1/files/0x00080000000120ed-14.dat family_berbew behavioral1/files/0x00080000000120ed-12.dat family_berbew behavioral1/files/0x00080000000120ed-9.dat family_berbew behavioral1/files/0x0008000000015e04-19.dat family_berbew behavioral1/files/0x0008000000015e04-26.dat family_berbew behavioral1/files/0x0008000000015e04-23.dat family_berbew behavioral1/files/0x0008000000015e04-22.dat family_berbew behavioral1/files/0x0008000000015e04-27.dat family_berbew behavioral1/files/0x0027000000015cc4-32.dat family_berbew behavioral1/files/0x0027000000015cc4-35.dat family_berbew behavioral1/files/0x0027000000015cc4-34.dat family_berbew behavioral1/files/0x0027000000015cc4-40.dat family_berbew behavioral1/files/0x0027000000015cc4-39.dat family_berbew behavioral1/files/0x000700000001604e-46.dat family_berbew behavioral1/files/0x000700000001604e-50.dat family_berbew behavioral1/files/0x000700000001604e-49.dat family_berbew behavioral1/files/0x000700000001604e-53.dat family_berbew behavioral1/files/0x000700000001604e-55.dat family_berbew behavioral1/files/0x000800000001625a-60.dat family_berbew behavioral1/files/0x0006000000016ba2-75.dat family_berbew behavioral1/files/0x000800000001625a-64.dat family_berbew behavioral1/files/0x000800000001625a-63.dat family_berbew behavioral1/files/0x0006000000016ba2-82.dat family_berbew behavioral1/files/0x0006000000016ba2-81.dat family_berbew behavioral1/files/0x0006000000016ba2-77.dat family_berbew behavioral1/files/0x0006000000016ba2-70.dat family_berbew behavioral1/files/0x000800000001625a-69.dat family_berbew behavioral1/files/0x000800000001625a-67.dat family_berbew behavioral1/files/0x0006000000016c24-95.dat family_berbew behavioral1/files/0x0006000000016c24-96.dat family_berbew behavioral1/files/0x0006000000016c24-91.dat family_berbew behavioral1/files/0x0006000000016c24-90.dat family_berbew behavioral1/files/0x0006000000016c24-88.dat family_berbew behavioral1/files/0x0006000000016c9c-102.dat family_berbew behavioral1/files/0x0006000000016c9c-105.dat family_berbew behavioral1/files/0x0006000000016c9c-106.dat family_berbew behavioral1/files/0x0006000000016c9c-111.dat family_berbew behavioral1/files/0x0006000000016c9c-109.dat family_berbew behavioral1/files/0x0006000000016cd8-116.dat family_berbew behavioral1/files/0x0006000000016cd8-123.dat family_berbew behavioral1/files/0x0006000000016cd8-125.dat family_berbew behavioral1/files/0x0006000000016cd8-120.dat family_berbew behavioral1/files/0x0006000000016cd8-119.dat family_berbew behavioral1/files/0x0006000000016cec-134.dat family_berbew behavioral1/files/0x0006000000016cec-131.dat family_berbew behavioral1/files/0x0006000000016cec-139.dat family_berbew behavioral1/files/0x0006000000016cec-136.dat family_berbew behavioral1/files/0x0006000000016cec-141.dat family_berbew behavioral1/memory/2560-148-0x00000000001B0000-0x00000000001F3000-memory.dmp family_berbew behavioral1/memory/2556-156-0x00000000002B0000-0x00000000002F3000-memory.dmp family_berbew behavioral1/files/0x0006000000016cfd-153.dat family_berbew behavioral1/files/0x0006000000016cfd-152.dat family_berbew behavioral1/files/0x0006000000016cfd-149.dat family_berbew behavioral1/files/0x0006000000016cfd-158.dat family_berbew behavioral1/files/0x0006000000016cfd-157.dat family_berbew behavioral1/files/0x0006000000016d20-172.dat family_berbew behavioral1/files/0x0006000000016d20-171.dat family_berbew behavioral1/files/0x0006000000016d20-167.dat family_berbew behavioral1/files/0x0006000000016d20-166.dat family_berbew behavioral1/files/0x0006000000016d20-164.dat family_berbew behavioral1/files/0x0006000000016d40-177.dat family_berbew behavioral1/files/0x0006000000016d40-179.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2864 Hmmbqegc.exe 2640 Hmalldcn.exe 2888 Iikifegp.exe 2764 Ijnbcmkk.exe 772 Inlkik32.exe 2560 Ihdpbq32.exe 1132 Idkpganf.exe 268 Jpdnbbah.exe 1592 Jgabdlfb.exe 2556 Jbhcim32.exe 1732 Kekiphge.exe 2596 Kcecbq32.exe 1628 Knmdeioh.exe 2812 Lhfefgkg.exe 2244 Lfmbek32.exe 2148 Lklgbadb.exe 2336 Mqklqhpg.exe 1048 Mnomjl32.exe 1252 Mmdjkhdh.exe 2320 Mjhjdm32.exe 900 Mklcadfn.exe 2156 Npjlhcmd.exe 2128 Ngealejo.exe 2860 Nidmfh32.exe 2464 Nenkqi32.exe 2044 Omioekbo.exe 1508 Ompefj32.exe 2720 Obmnna32.exe 3040 Obokcqhk.exe 2540 Oemgplgo.exe 2744 Pdbdqh32.exe 2476 Pafdjmkq.exe 520 Pkcbnanl.exe 788 Qgjccb32.exe 996 Qiioon32.exe 1812 Qjklenpa.exe 2164 Aohdmdoh.exe 1580 Accqnc32.exe 1464 Allefimb.exe 2784 Aaimopli.exe 2284 Akabgebj.exe 1824 Ahebaiac.exe 1124 Anbkipok.exe 1872 Aoagccfn.exe 764 Bkhhhd32.exe 364 Bkjdndjo.exe 2212 Bqgmfkhg.exe 1288 Bnknoogp.exe 3012 Bgcbhd32.exe 1280 Bcjcme32.exe 2996 Ccmpce32.exe 3020 Cmedlk32.exe 2652 Cnimiblo.exe 2700 Cebeem32.exe 2528 Cgaaah32.exe 2836 Cbffoabe.exe 2956 Cgcnghpl.exe 1564 Ccjoli32.exe 1864 Dnpciaef.exe 588 Dfkhndca.exe 2176 Daplkmbg.exe 1960 Dmgmpnhl.exe 1296 Dpeiligo.exe 2224 Dinneo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 2864 Hmmbqegc.exe 2864 Hmmbqegc.exe 2640 Hmalldcn.exe 2640 Hmalldcn.exe 2888 Iikifegp.exe 2888 Iikifegp.exe 2764 Ijnbcmkk.exe 2764 Ijnbcmkk.exe 772 Inlkik32.exe 772 Inlkik32.exe 2560 Ihdpbq32.exe 2560 Ihdpbq32.exe 1132 Idkpganf.exe 1132 Idkpganf.exe 268 Jpdnbbah.exe 268 Jpdnbbah.exe 1592 Jgabdlfb.exe 1592 Jgabdlfb.exe 2556 Jbhcim32.exe 2556 Jbhcim32.exe 1732 Kekiphge.exe 1732 Kekiphge.exe 2596 Kcecbq32.exe 2596 Kcecbq32.exe 1628 Knmdeioh.exe 1628 Knmdeioh.exe 2812 Lhfefgkg.exe 2812 Lhfefgkg.exe 2244 Lfmbek32.exe 2244 Lfmbek32.exe 2148 Lklgbadb.exe 2148 Lklgbadb.exe 2336 Mqklqhpg.exe 2336 Mqklqhpg.exe 1048 Mnomjl32.exe 1048 Mnomjl32.exe 1252 Mmdjkhdh.exe 1252 Mmdjkhdh.exe 2320 Mjhjdm32.exe 2320 Mjhjdm32.exe 900 Mklcadfn.exe 900 Mklcadfn.exe 2156 Npjlhcmd.exe 2156 Npjlhcmd.exe 2128 Ngealejo.exe 2128 Ngealejo.exe 2860 Nidmfh32.exe 2860 Nidmfh32.exe 2464 Nenkqi32.exe 2464 Nenkqi32.exe 1928 Oibmpl32.exe 1928 Oibmpl32.exe 1508 Ompefj32.exe 1508 Ompefj32.exe 2720 Obmnna32.exe 2720 Obmnna32.exe 3040 Obokcqhk.exe 3040 Obokcqhk.exe 2540 Oemgplgo.exe 2540 Oemgplgo.exe 2744 Pdbdqh32.exe 2744 Pdbdqh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jnlnid32.dll Kkfhglen.exe File created C:\Windows\SysWOW64\Chmkkf32.exe Ceoooj32.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Nqbidn32.dll Lhfpdi32.exe File opened for modification C:\Windows\SysWOW64\Eoecbheg.exe Emggflfc.exe File created C:\Windows\SysWOW64\Glaiak32.exe Gegaeabe.exe File created C:\Windows\SysWOW64\Eimcjl32.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Bfdbgnmd.dll Ncipjieo.exe File opened for modification C:\Windows\SysWOW64\Ffeldglk.exe Fiakkcma.exe File opened for modification C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File opened for modification C:\Windows\SysWOW64\Ckchcc32.exe Bakdjn32.exe File created C:\Windows\SysWOW64\Okijhmcm.exe Ohjmlaci.exe File created C:\Windows\SysWOW64\Cfmjiqbg.dll Pffgonbb.exe File created C:\Windows\SysWOW64\Bclnpegj.dll Pcagkmaj.exe File opened for modification C:\Windows\SysWOW64\Fhngkm32.exe Eoecbheg.exe File created C:\Windows\SysWOW64\Ehdnkh32.exe Eeeanm32.exe File created C:\Windows\SysWOW64\Flapkmlj.exe Feggob32.exe File created C:\Windows\SysWOW64\Gcmfdqgf.dll Gkhaooec.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jlnmel32.exe File created C:\Windows\SysWOW64\Nmbbhd32.dll Pjjmonac.exe File created C:\Windows\SysWOW64\Lgnabh32.dll Dbkffc32.exe File opened for modification C:\Windows\SysWOW64\Ipkgejcf.exe Ibgglfdl.exe File created C:\Windows\SysWOW64\Jbnjhh32.exe Iejiodbl.exe File opened for modification C:\Windows\SysWOW64\Codeih32.exe Clfhml32.exe File created C:\Windows\SysWOW64\Cenqenin.dll Cllkkk32.exe File created C:\Windows\SysWOW64\Okkkoj32.exe Obcffefa.exe File opened for modification C:\Windows\SysWOW64\Bjalndpb.exe Baigen32.exe File created C:\Windows\SysWOW64\Nkmgmf32.dll Pikohg32.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File created C:\Windows\SysWOW64\Bcaafadj.dll Qonlhd32.exe File created C:\Windows\SysWOW64\Amplklmj.exe Afecna32.exe File created C:\Windows\SysWOW64\Pkcbnanl.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Dpeiligo.exe Dmgmpnhl.exe File created C:\Windows\SysWOW64\Pfbfhm32.exe Pddjlb32.exe File created C:\Windows\SysWOW64\Mobafhlg.dll Jefbnacn.exe File created C:\Windows\SysWOW64\Hpjeknfi.exe Hfaqbh32.exe File created C:\Windows\SysWOW64\Jdlclo32.exe Jnbkodci.exe File created C:\Windows\SysWOW64\Nkdpmn32.exe Nhcgkbja.exe File created C:\Windows\SysWOW64\Fjpknjgd.dll Eonfgbhc.exe File opened for modification C:\Windows\SysWOW64\Hmmbqegc.exe NEAS.89f47c676ce7ac88e27f4b410f112240.exe File created C:\Windows\SysWOW64\Npechhgd.exe Mkfojakp.exe File opened for modification C:\Windows\SysWOW64\Cpejfjha.exe Cikbjpqd.exe File opened for modification C:\Windows\SysWOW64\Dfhdnn32.exe Ckbpqe32.exe File opened for modification C:\Windows\SysWOW64\Kbnhpdke.exe Kmaphmln.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Codeih32.exe File created C:\Windows\SysWOW64\Ieppjclf.exe Ibadnhmb.exe File opened for modification C:\Windows\SysWOW64\Lhfefgkg.exe Knmdeioh.exe File created C:\Windows\SysWOW64\Npjlhcmd.exe Mklcadfn.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Onamle32.exe Oggeokoq.exe File created C:\Windows\SysWOW64\Ehfnim32.dll Ijfqfj32.exe File created C:\Windows\SysWOW64\Jcnoejch.exe Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Pidaba32.exe Pnnmeh32.exe File created C:\Windows\SysWOW64\Kkfhglen.exe Kkckblgq.exe File created C:\Windows\SysWOW64\Jehpna32.exe Jongag32.exe File created C:\Windows\SysWOW64\Ckidej32.dll Jejlca32.exe File created C:\Windows\SysWOW64\Jaecod32.exe Joggci32.exe File opened for modification C:\Windows\SysWOW64\Pddjlb32.exe Pioeoi32.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Gamkol32.exe Gnoocq32.exe File created C:\Windows\SysWOW64\Pamnnemo.exe Pkcfak32.exe File created C:\Windows\SysWOW64\Nfcakjoj.dll Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Pjihmmbk.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Jmdieknp.dll Afecna32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpdnbbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohjmlaci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpgakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmmlccfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmipdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijfqfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afbnec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cikbjpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjnpn32.dll" Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjoaod.dll" Plcied32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll" Celbik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eehndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnlcm32.dll" Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgfien.dll" Hnpgloog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkafpim.dll" Emggflfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeeanh32.dll" Bnbnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ckmbdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnakhlq.dll" Eoomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgfflgg.dll" Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obgnhkkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqeelgjb.dll" Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oophlpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemplnpf.dll" Ffenmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqifpf32.dll" Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkekhpob.dll" Fihfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkkjeeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlpofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpkmlj32.dll" Lhbhdnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Npdhaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oggeokoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnjjcbiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eakooqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qbodjofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjeafp.dll" Nmpiicdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egonhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndlaqocp.dll" Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hailie32.dll" Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hhfmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkhh32.dll" Afcghbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgmlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocbagqd.dll" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggpokfi.dll" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgaoic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edohki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcjilgdb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2864 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 27 PID 2924 wrote to memory of 2864 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 27 PID 2924 wrote to memory of 2864 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 27 PID 2924 wrote to memory of 2864 2924 NEAS.89f47c676ce7ac88e27f4b410f112240.exe 27 PID 2864 wrote to memory of 2640 2864 Hmmbqegc.exe 28 PID 2864 wrote to memory of 2640 2864 Hmmbqegc.exe 28 PID 2864 wrote to memory of 2640 2864 Hmmbqegc.exe 28 PID 2864 wrote to memory of 2640 2864 Hmmbqegc.exe 28 PID 2640 wrote to memory of 2888 2640 Hmalldcn.exe 29 PID 2640 wrote to memory of 2888 2640 Hmalldcn.exe 29 PID 2640 wrote to memory of 2888 2640 Hmalldcn.exe 29 PID 2640 wrote to memory of 2888 2640 Hmalldcn.exe 29 PID 2888 wrote to memory of 2764 2888 Iikifegp.exe 30 PID 2888 wrote to memory of 2764 2888 Iikifegp.exe 30 PID 2888 wrote to memory of 2764 2888 Iikifegp.exe 30 PID 2888 wrote to memory of 2764 2888 Iikifegp.exe 30 PID 2764 wrote to memory of 772 2764 Ijnbcmkk.exe 31 PID 2764 wrote to memory of 772 2764 Ijnbcmkk.exe 31 PID 2764 wrote to memory of 772 2764 Ijnbcmkk.exe 31 PID 2764 wrote to memory of 772 2764 Ijnbcmkk.exe 31 PID 772 wrote to memory of 2560 772 Inlkik32.exe 32 PID 772 wrote to memory of 2560 772 Inlkik32.exe 32 PID 772 wrote to memory of 2560 772 Inlkik32.exe 32 PID 772 wrote to memory of 2560 772 Inlkik32.exe 32 PID 2560 wrote to memory of 1132 2560 Ihdpbq32.exe 33 PID 2560 wrote to memory of 1132 2560 Ihdpbq32.exe 33 PID 2560 wrote to memory of 1132 2560 Ihdpbq32.exe 33 PID 2560 wrote to memory of 1132 2560 Ihdpbq32.exe 33 PID 1132 wrote to memory of 268 1132 Idkpganf.exe 34 PID 1132 wrote to memory of 268 1132 Idkpganf.exe 34 PID 1132 wrote to memory of 268 1132 Idkpganf.exe 34 PID 1132 wrote to memory of 268 1132 Idkpganf.exe 34 PID 268 wrote to memory of 1592 268 Jpdnbbah.exe 35 PID 268 wrote to memory of 1592 268 Jpdnbbah.exe 35 PID 268 wrote to memory of 1592 268 Jpdnbbah.exe 35 PID 268 wrote to memory of 1592 268 Jpdnbbah.exe 35 PID 1592 wrote to memory of 2556 1592 Jgabdlfb.exe 36 PID 1592 wrote to memory of 2556 1592 Jgabdlfb.exe 36 PID 1592 wrote to memory of 2556 1592 Jgabdlfb.exe 36 PID 1592 wrote to memory of 2556 1592 Jgabdlfb.exe 36 PID 2556 wrote to memory of 1732 2556 Jbhcim32.exe 37 PID 2556 wrote to memory of 1732 2556 Jbhcim32.exe 37 PID 2556 wrote to memory of 1732 2556 Jbhcim32.exe 37 PID 2556 wrote to memory of 1732 2556 Jbhcim32.exe 37 PID 1732 wrote to memory of 2596 1732 Kekiphge.exe 38 PID 1732 wrote to memory of 2596 1732 Kekiphge.exe 38 PID 1732 wrote to memory of 2596 1732 Kekiphge.exe 38 PID 1732 wrote to memory of 2596 1732 Kekiphge.exe 38 PID 2596 wrote to memory of 1628 2596 Kcecbq32.exe 39 PID 2596 wrote to memory of 1628 2596 Kcecbq32.exe 39 PID 2596 wrote to memory of 1628 2596 Kcecbq32.exe 39 PID 2596 wrote to memory of 1628 2596 Kcecbq32.exe 39 PID 1628 wrote to memory of 2812 1628 Knmdeioh.exe 40 PID 1628 wrote to memory of 2812 1628 Knmdeioh.exe 40 PID 1628 wrote to memory of 2812 1628 Knmdeioh.exe 40 PID 1628 wrote to memory of 2812 1628 Knmdeioh.exe 40 PID 2812 wrote to memory of 2244 2812 Lhfefgkg.exe 41 PID 2812 wrote to memory of 2244 2812 Lhfefgkg.exe 41 PID 2812 wrote to memory of 2244 2812 Lhfefgkg.exe 41 PID 2812 wrote to memory of 2244 2812 Lhfefgkg.exe 41 PID 2244 wrote to memory of 2148 2244 Lfmbek32.exe 42 PID 2244 wrote to memory of 2148 2244 Lfmbek32.exe 42 PID 2244 wrote to memory of 2148 2244 Lfmbek32.exe 42 PID 2244 wrote to memory of 2148 2244 Lfmbek32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.89f47c676ce7ac88e27f4b410f112240.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.89f47c676ce7ac88e27f4b410f112240.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe28⤵
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe35⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe36⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe37⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Qjklenpa.exeC:\Windows\system32\Qjklenpa.exe38⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe39⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe40⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe41⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe42⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe43⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ahebaiac.exeC:\Windows\system32\Ahebaiac.exe44⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe45⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe47⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe48⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe49⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe51⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe53⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe54⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe56⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe57⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe58⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe60⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe61⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe62⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe65⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe67⤵PID:2252
-
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe68⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe69⤵
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe71⤵PID:608
-
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe74⤵PID:1624
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe75⤵PID:1668
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe76⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe77⤵PID:872
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe78⤵PID:2064
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe79⤵PID:1228
-
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe81⤵PID:3048
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe82⤵PID:2644
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe83⤵PID:1912
-
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe84⤵PID:2492
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe85⤵PID:2660
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe86⤵PID:2572
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe87⤵PID:592
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe88⤵PID:1384
-
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe89⤵PID:1692
-
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe90⤵PID:1568
-
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe91⤵PID:2108
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe92⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe93⤵PID:1256
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe94⤵PID:2192
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe97⤵
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe99⤵PID:2076
-
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe100⤵PID:3000
-
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe101⤵PID:2880
-
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe102⤵PID:1388
-
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe103⤵PID:2604
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe104⤵PID:2724
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe105⤵PID:2704
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe106⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe107⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe108⤵PID:1000
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe110⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe111⤵PID:2408
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe112⤵PID:2828
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe113⤵PID:1136
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe114⤵PID:1452
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe115⤵PID:2448
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe116⤵PID:1868
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe117⤵PID:928
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe118⤵PID:1532
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe120⤵PID:2020
-
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe121⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-