Analysis
-
max time kernel
82s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2023 17:01
Behavioral task
behavioral1
Sample
NEAS.b8c086bbf9266afda24bdd229e4df480.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b8c086bbf9266afda24bdd229e4df480.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b8c086bbf9266afda24bdd229e4df480.exe
-
Size
130KB
-
MD5
b8c086bbf9266afda24bdd229e4df480
-
SHA1
39e4847c7e7202924cb9c92ca117a5715e037f7e
-
SHA256
978eb5649c43f54341d49837cd982c89b53f856c132189f591573e44a764df1a
-
SHA512
574762ba297b1f22e6c2cd53471f9ffd50e24c41f7d4133f900c6247dc27405a4eb6d8e6b7468364c3315fc46e161490fa8001c95ec68083f50965fb4137e05e
-
SSDEEP
3072:fPTP2atnZ6oLWnyTB0GT2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:fLP9ZPLWnyTB0I4BhHmNEcYj9nhV8NCV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qihoak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpagc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjponbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgacegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijgmokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebcdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljdjnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbdacbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkomgkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpjad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okneldkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giahndcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajggjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneiikqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moiheebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqgjoenq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donlkjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Canlfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdfanoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmccnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcmiofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khplnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abqjci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijfbhflj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chddpn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjoma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklihbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjehok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjednmla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gclimi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqjhmhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amibqhed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpeol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfmgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddlckd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homcbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qipqibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbjhini.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpehjph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqgiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdilold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkemfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfbgiij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghcqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpjjpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkgbibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikfbeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmfnd32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/5108-5-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cde-7.dat family_berbew behavioral2/files/0x0006000000022cde-9.dat family_berbew behavioral2/memory/1488-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000a000000022bee-15.dat family_berbew behavioral2/memory/4896-16-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000a000000022bee-17.dat family_berbew behavioral2/files/0x0007000000022cd5-18.dat family_berbew behavioral2/files/0x0007000000022cd5-23.dat family_berbew behavioral2/memory/3244-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd5-24.dat family_berbew behavioral2/files/0x000a000000022bf1-31.dat family_berbew behavioral2/memory/3580-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x000a000000022bf1-33.dat family_berbew behavioral2/files/0x0009000000022cdb-39.dat family_berbew behavioral2/memory/1084-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022cdb-41.dat family_berbew behavioral2/files/0x0008000000022cdd-47.dat family_berbew behavioral2/memory/4888-48-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022cdd-49.dat family_berbew behavioral2/files/0x0009000000022ce2-55.dat family_berbew behavioral2/memory/3236-56-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022ce2-57.dat family_berbew behavioral2/files/0x0006000000022ce4-58.dat family_berbew behavioral2/files/0x0006000000022ce4-63.dat family_berbew behavioral2/memory/432-65-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce4-64.dat family_berbew behavioral2/files/0x0006000000022ce6-71.dat family_berbew behavioral2/files/0x0006000000022ce6-72.dat family_berbew behavioral2/memory/4924-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1936-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce8-79.dat family_berbew behavioral2/files/0x0006000000022ce8-81.dat family_berbew behavioral2/files/0x0006000000022ceb-89.dat family_berbew behavioral2/memory/2520-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ceb-87.dat family_berbew behavioral2/files/0x0006000000022ced-95.dat family_berbew behavioral2/memory/3932-96-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ced-97.dat family_berbew behavioral2/files/0x0006000000022cef-103.dat family_berbew behavioral2/files/0x0006000000022cef-104.dat family_berbew behavioral2/memory/4804-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-111.dat family_berbew behavioral2/memory/3560-112-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf1-113.dat family_berbew behavioral2/files/0x0006000000022cf3-119.dat family_berbew behavioral2/files/0x0006000000022cf3-120.dat family_berbew behavioral2/memory/1128-121-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1556-134-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-128.dat family_berbew behavioral2/memory/3052-137-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-136.dat family_berbew behavioral2/files/0x0006000000022cf7-135.dat family_berbew behavioral2/files/0x0006000000022cf5-127.dat family_berbew behavioral2/files/0x0006000000022cf9-143.dat family_berbew behavioral2/files/0x0006000000022cf9-144.dat family_berbew behavioral2/memory/2684-145-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-151.dat family_berbew behavioral2/files/0x0006000000022cfb-153.dat family_berbew behavioral2/memory/3432-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfe-159.dat family_berbew behavioral2/files/0x0006000000022cfe-160.dat family_berbew behavioral2/memory/3488-161-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1488 Kcmfnd32.exe 4896 Lllagh32.exe 3244 Lcmodajm.exe 3580 Mbdiknlb.exe 1084 Mqhfoebo.exe 4888 Nhegig32.exe 3236 Nhhdnf32.exe 432 Nimmifgo.exe 4924 Ooibkpmi.exe 1936 Oonlfo32.exe 2520 Obnehj32.exe 3932 Omfekbdh.exe 4804 Pjlcjf32.exe 3560 Pjoppf32.exe 1128 Pfhmjf32.exe 1556 Amfobp32.exe 3052 Afockelf.exe 2684 Apjdikqd.exe 3432 Ampaho32.exe 3488 Bdlfjh32.exe 4576 Bmggingc.exe 4236 Bbfmgd32.exe 3436 Ckpamabg.exe 3888 Ccmcgcmp.exe 1316 Ckggnp32.exe 4696 Daeifj32.exe 2600 Dckoia32.exe 4328 Egkddo32.exe 4000 Ecikjoep.exe 4168 Edihdb32.exe 3232 Fkemfl32.exe 4224 Fnjocf32.exe 4988 Gcjdam32.exe 4596 Gdknpp32.exe 3456 Hjmodffo.exe 1212 Hgapmj32.exe 3940 Hjaioe32.exe 4004 Hnpaec32.exe 5032 Hjfbjdnd.exe 2068 Ijiopd32.exe 2700 Ieqpbm32.exe 228 Inkaqb32.exe 2272 Jehfcl32.exe 1192 Jhhodg32.exe 5048 Jelonkph.exe 4288 Jacpcl32.exe 3728 Kbgfhnhi.exe 984 Klpjad32.exe 4772 Kblpcndd.exe 4356 Klddlckd.exe 1380 Loemnnhe.exe 5076 Lhpnlclc.exe 1848 Lkqgno32.exe 1020 Mekdffee.exe 3936 Mdpagc32.exe 3476 Mdbnmbhj.exe 3996 Mllccpfj.exe 3732 Ndidna32.exe 1652 Nhgmcp32.exe 3472 Nkhfek32.exe 4332 Ollljmhg.exe 3816 Ohcmpn32.exe 4376 Okfbgiij.exe 3092 Pmeoqlpl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ipihkobl.exe Hfacai32.exe File opened for modification C:\Windows\SysWOW64\Jjfdfl32.exe Jeilne32.exe File created C:\Windows\SysWOW64\Aapkcn32.dll Bndjfjhl.exe File created C:\Windows\SysWOW64\Eeomfioh.exe Eelpqi32.exe File opened for modification C:\Windows\SysWOW64\Jhgpbf32.exe Jnalem32.exe File created C:\Windows\SysWOW64\Mkfnlmkl.exe Mfdlif32.exe File created C:\Windows\SysWOW64\Lmgfpgpb.dll Qlhnng32.exe File created C:\Windows\SysWOW64\Mlcieblm.dll Lagepl32.exe File created C:\Windows\SysWOW64\Kjlmbnof.exe Kjipmoai.exe File created C:\Windows\SysWOW64\Emanepld.exe Egeemiml.exe File created C:\Windows\SysWOW64\Ipbdcofa.dll Jfopcgpk.exe File created C:\Windows\SysWOW64\Dpkgac32.dll Dfakcj32.exe File opened for modification C:\Windows\SysWOW64\Knbinhfl.exe Kanidd32.exe File opened for modification C:\Windows\SysWOW64\Bnlfqngm.exe Acgacegg.exe File created C:\Windows\SysWOW64\Gmcidg32.dll Dgjmkqke.exe File created C:\Windows\SysWOW64\Gfqjgb32.dll Process not Found File created C:\Windows\SysWOW64\Lcmodajm.exe Lllagh32.exe File created C:\Windows\SysWOW64\Maommm32.dll Gclimi32.exe File created C:\Windows\SysWOW64\Jnalem32.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Lfgnho32.dll Pjoppf32.exe File opened for modification C:\Windows\SysWOW64\Pkonbamc.exe Pbdmdlie.exe File opened for modification C:\Windows\SysWOW64\Hdokok32.exe Hejono32.exe File created C:\Windows\SysWOW64\Lqlhniij.dll Lnkgbibj.exe File created C:\Windows\SysWOW64\Dgdfkqep.dll Process not Found File created C:\Windows\SysWOW64\Obnehj32.exe Oonlfo32.exe File created C:\Windows\SysWOW64\Clgmkbna.exe Cdjlap32.exe File opened for modification C:\Windows\SysWOW64\Dfakcj32.exe Debnjgcp.exe File created C:\Windows\SysWOW64\Dfogdfmq.dll Epeohn32.exe File created C:\Windows\SysWOW64\Pmceobnb.dll Ilqmam32.exe File created C:\Windows\SysWOW64\Dokqfl32.exe Hfdfanoa.exe File created C:\Windows\SysWOW64\Fbcolk32.dll Ckpamabg.exe File created C:\Windows\SysWOW64\Fkemfl32.exe Edihdb32.exe File created C:\Windows\SysWOW64\Gnlenp32.exe Fdadpk32.exe File created C:\Windows\SysWOW64\Cghgpgqd.exe Calbnnkj.exe File opened for modification C:\Windows\SysWOW64\Kffphhmj.exe Kkaljpmd.exe File created C:\Windows\SysWOW64\Lhlgjo32.dll Fkemfl32.exe File created C:\Windows\SysWOW64\Oknnanhj.exe Oinbgk32.exe File created C:\Windows\SysWOW64\Jeanfkob.exe Jklihbol.exe File opened for modification C:\Windows\SysWOW64\Ppdjpcng.exe Pgkegn32.exe File created C:\Windows\SysWOW64\Gdaejejc.dll Hcabhido.exe File created C:\Windows\SysWOW64\Lfqjhmhk.exe Lmheph32.exe File created C:\Windows\SysWOW64\Pabbjl32.dll Dhmgdo32.exe File opened for modification C:\Windows\SysWOW64\Ampaho32.exe Apjdikqd.exe File created C:\Windows\SysWOW64\Dckoia32.exe Daeifj32.exe File created C:\Windows\SysWOW64\Bjqelb32.dll Ahpdcn32.exe File opened for modification C:\Windows\SysWOW64\Jhjcbljf.exe Jmccnk32.exe File created C:\Windows\SysWOW64\Embdofop.exe Ecjpfp32.exe File created C:\Windows\SysWOW64\Hdcbbbbi.dll Bhdilold.exe File created C:\Windows\SysWOW64\Ccckoq32.dll Ccacjgfb.exe File created C:\Windows\SysWOW64\Dmfbkh32.dll Fnjocf32.exe File created C:\Windows\SysWOW64\Ohdbkh32.exe Ogefqeaj.exe File opened for modification C:\Windows\SysWOW64\Ldlmieaa.exe Lkchpoka.exe File opened for modification C:\Windows\SysWOW64\Lcmodajm.exe Lllagh32.exe File created C:\Windows\SysWOW64\Icklacqn.dll Bbniai32.exe File created C:\Windows\SysWOW64\Nacemc32.dll Ppnbpg32.exe File opened for modification C:\Windows\SysWOW64\Lggeej32.exe Ngjcgdba.exe File created C:\Windows\SysWOW64\Ockhfbgl.dll Acpkbf32.exe File opened for modification C:\Windows\SysWOW64\Eokjke32.exe Dcdifdem.exe File created C:\Windows\SysWOW64\Eckogc32.exe Ihbdja32.exe File created C:\Windows\SysWOW64\Bggknnmj.dll Ohdbkh32.exe File created C:\Windows\SysWOW64\Djnhne32.exe Dfqogfjo.exe File created C:\Windows\SysWOW64\Qkcackeb.exe Qjcdih32.exe File created C:\Windows\SysWOW64\Pofbggpf.dll Jkajnh32.exe File created C:\Windows\SysWOW64\Lignkpal.dll Pgefogop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4460 7248 Process not Found 1297 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eckogc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjjfkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okoogdck.dll" Obmeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcfmla32.dll" Ehdmenhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikinag32.dll" Mbamcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollljmhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpgbna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbqdmodg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdiaha32.dll" Ppdjpcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll" Apkjddke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifcnjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqkdjmm.dll" Gllajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkdkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmiealgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbdpabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feggihah.dll" Ddnmeejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdobhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkchqpgd.dll" Qhghge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Defajqko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmjjqhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpfokpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkjah32.dll" Aldeap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokmbh32.dll" Blchmdff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdako32.dll" Lihpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqapjnl.dll" Peaahmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jklihbol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcikhace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbndhppc.dll" Okfbgiij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjieii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhbbojn.dll" Fajgfiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmile32.dll" Oibdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpebbije.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlcde32.dll" Ncihbaie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmodffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhhodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmoagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnlenp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcpkmo32.dll" Kkaljpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiqmepi.dll" Affgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqgiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll" Bdlfjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapclned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdphhoqn.dll" Kpepmkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjcgdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmccnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpoo32.dll" Dfeibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamjca32.dll" Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdfipld.dll" Eqdpfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbfoeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqmgigfk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5108 wrote to memory of 1488 5108 NEAS.b8c086bbf9266afda24bdd229e4df480.exe 91 PID 5108 wrote to memory of 1488 5108 NEAS.b8c086bbf9266afda24bdd229e4df480.exe 91 PID 5108 wrote to memory of 1488 5108 NEAS.b8c086bbf9266afda24bdd229e4df480.exe 91 PID 1488 wrote to memory of 4896 1488 Kcmfnd32.exe 92 PID 1488 wrote to memory of 4896 1488 Kcmfnd32.exe 92 PID 1488 wrote to memory of 4896 1488 Kcmfnd32.exe 92 PID 4896 wrote to memory of 3244 4896 Lllagh32.exe 93 PID 4896 wrote to memory of 3244 4896 Lllagh32.exe 93 PID 4896 wrote to memory of 3244 4896 Lllagh32.exe 93 PID 3244 wrote to memory of 3580 3244 Lcmodajm.exe 94 PID 3244 wrote to memory of 3580 3244 Lcmodajm.exe 94 PID 3244 wrote to memory of 3580 3244 Lcmodajm.exe 94 PID 3580 wrote to memory of 1084 3580 Mbdiknlb.exe 95 PID 3580 wrote to memory of 1084 3580 Mbdiknlb.exe 95 PID 3580 wrote to memory of 1084 3580 Mbdiknlb.exe 95 PID 1084 wrote to memory of 4888 1084 Mqhfoebo.exe 96 PID 1084 wrote to memory of 4888 1084 Mqhfoebo.exe 96 PID 1084 wrote to memory of 4888 1084 Mqhfoebo.exe 96 PID 4888 wrote to memory of 3236 4888 Nhegig32.exe 97 PID 4888 wrote to memory of 3236 4888 Nhegig32.exe 97 PID 4888 wrote to memory of 3236 4888 Nhegig32.exe 97 PID 3236 wrote to memory of 432 3236 Nhhdnf32.exe 98 PID 3236 wrote to memory of 432 3236 Nhhdnf32.exe 98 PID 3236 wrote to memory of 432 3236 Nhhdnf32.exe 98 PID 432 wrote to memory of 4924 432 Nimmifgo.exe 99 PID 432 wrote to memory of 4924 432 Nimmifgo.exe 99 PID 432 wrote to memory of 4924 432 Nimmifgo.exe 99 PID 4924 wrote to memory of 1936 4924 Ooibkpmi.exe 100 PID 4924 wrote to memory of 1936 4924 Ooibkpmi.exe 100 PID 4924 wrote to memory of 1936 4924 Ooibkpmi.exe 100 PID 1936 wrote to memory of 2520 1936 Oonlfo32.exe 101 PID 1936 wrote to memory of 2520 1936 Oonlfo32.exe 101 PID 1936 wrote to memory of 2520 1936 Oonlfo32.exe 101 PID 2520 wrote to memory of 3932 2520 Obnehj32.exe 102 PID 2520 wrote to memory of 3932 2520 Obnehj32.exe 102 PID 2520 wrote to memory of 3932 2520 Obnehj32.exe 102 PID 3932 wrote to memory of 4804 3932 Omfekbdh.exe 103 PID 3932 wrote to memory of 4804 3932 Omfekbdh.exe 103 PID 3932 wrote to memory of 4804 3932 Omfekbdh.exe 103 PID 4804 wrote to memory of 3560 4804 Pjlcjf32.exe 104 PID 4804 wrote to memory of 3560 4804 Pjlcjf32.exe 104 PID 4804 wrote to memory of 3560 4804 Pjlcjf32.exe 104 PID 3560 wrote to memory of 1128 3560 Pjoppf32.exe 105 PID 3560 wrote to memory of 1128 3560 Pjoppf32.exe 105 PID 3560 wrote to memory of 1128 3560 Pjoppf32.exe 105 PID 1128 wrote to memory of 1556 1128 Pfhmjf32.exe 107 PID 1128 wrote to memory of 1556 1128 Pfhmjf32.exe 107 PID 1128 wrote to memory of 1556 1128 Pfhmjf32.exe 107 PID 1556 wrote to memory of 3052 1556 Amfobp32.exe 106 PID 1556 wrote to memory of 3052 1556 Amfobp32.exe 106 PID 1556 wrote to memory of 3052 1556 Amfobp32.exe 106 PID 3052 wrote to memory of 2684 3052 Afockelf.exe 108 PID 3052 wrote to memory of 2684 3052 Afockelf.exe 108 PID 3052 wrote to memory of 2684 3052 Afockelf.exe 108 PID 2684 wrote to memory of 3432 2684 Apjdikqd.exe 109 PID 2684 wrote to memory of 3432 2684 Apjdikqd.exe 109 PID 2684 wrote to memory of 3432 2684 Apjdikqd.exe 109 PID 3432 wrote to memory of 3488 3432 Ampaho32.exe 110 PID 3432 wrote to memory of 3488 3432 Ampaho32.exe 110 PID 3432 wrote to memory of 3488 3432 Ampaho32.exe 110 PID 3488 wrote to memory of 4576 3488 Bdlfjh32.exe 111 PID 3488 wrote to memory of 4576 3488 Bdlfjh32.exe 111 PID 3488 wrote to memory of 4576 3488 Bdlfjh32.exe 111 PID 4576 wrote to memory of 4236 4576 Bmggingc.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b8c086bbf9266afda24bdd229e4df480.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b8c086bbf9266afda24bdd229e4df480.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lllagh32.exeC:\Windows\system32\Lllagh32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Mqhfoebo.exeC:\Windows\system32\Mqhfoebo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Nhegig32.exeC:\Windows\system32\Nhegig32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Nhhdnf32.exeC:\Windows\system32\Nhhdnf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Oonlfo32.exeC:\Windows\system32\Oonlfo32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Obnehj32.exeC:\Windows\system32\Obnehj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Amfobp32.exeC:\Windows\system32\Amfobp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Afockelf.exeC:\Windows\system32\Afockelf.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Apjdikqd.exeC:\Windows\system32\Apjdikqd.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Bdlfjh32.exeC:\Windows\system32\Bdlfjh32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ckpamabg.exeC:\Windows\system32\Ckpamabg.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Ccmcgcmp.exeC:\Windows\system32\Ccmcgcmp.exe8⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe9⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4696 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe11⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe12⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Ecikjoep.exeC:\Windows\system32\Ecikjoep.exe13⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4224 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe17⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe18⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Hgapmj32.exeC:\Windows\system32\Hgapmj32.exe20⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe21⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Hnpaec32.exeC:\Windows\system32\Hnpaec32.exe22⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Hjfbjdnd.exeC:\Windows\system32\Hjfbjdnd.exe23⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe24⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe25⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe26⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Jhhodg32.exeC:\Windows\system32\Jhhodg32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Jelonkph.exeC:\Windows\system32\Jelonkph.exe29⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Jacpcl32.exeC:\Windows\system32\Jacpcl32.exe30⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Klpjad32.exeC:\Windows\system32\Klpjad32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Kblpcndd.exeC:\Windows\system32\Kblpcndd.exe33⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Loemnnhe.exeC:\Windows\system32\Loemnnhe.exe35⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Lhpnlclc.exeC:\Windows\system32\Lhpnlclc.exe36⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Lkqgno32.exeC:\Windows\system32\Lkqgno32.exe37⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Mdpagc32.exeC:\Windows\system32\Mdpagc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe40⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Mllccpfj.exeC:\Windows\system32\Mllccpfj.exe41⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe42⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Nhgmcp32.exeC:\Windows\system32\Nhgmcp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe44⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Ollljmhg.exeC:\Windows\system32\Ollljmhg.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe46⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Okfbgiij.exeC:\Windows\system32\Okfbgiij.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe48⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe49⤵PID:4428
-
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe50⤵PID:2012
-
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe52⤵PID:2484
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Aflpkpjm.exeC:\Windows\system32\Aflpkpjm.exe54⤵PID:4668
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe55⤵PID:3172
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe56⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe57⤵PID:4956
-
C:\Windows\SysWOW64\Bppcpc32.exeC:\Windows\system32\Bppcpc32.exe58⤵PID:4228
-
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe59⤵PID:1400
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe60⤵PID:3976
-
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe61⤵PID:4336
-
C:\Windows\SysWOW64\Cbhbbn32.exeC:\Windows\system32\Cbhbbn32.exe62⤵PID:3664
-
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe63⤵PID:876
-
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe64⤵
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe65⤵PID:2020
-
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe66⤵PID:3960
-
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe67⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe68⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe69⤵PID:5208
-
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe70⤵PID:5256
-
C:\Windows\SysWOW64\Dekapfke.exeC:\Windows\system32\Dekapfke.exe71⤵PID:5300
-
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe72⤵PID:5344
-
C:\Windows\SysWOW64\Edoncm32.exeC:\Windows\system32\Edoncm32.exe73⤵PID:5388
-
C:\Windows\SysWOW64\Epeohn32.exeC:\Windows\system32\Epeohn32.exe74⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe75⤵PID:5476
-
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe76⤵PID:5520
-
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe77⤵PID:5564
-
C:\Windows\SysWOW64\Flcfnn32.exeC:\Windows\system32\Flcfnn32.exe78⤵PID:5608
-
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe79⤵PID:5656
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe80⤵PID:5696
-
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe81⤵PID:5740
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe82⤵
- Drops file in System32 directory
PID:5784 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe83⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe84⤵PID:5872
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe85⤵PID:5916
-
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe86⤵PID:5960
-
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe87⤵PID:6004
-
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe88⤵PID:6052
-
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe89⤵PID:6092
-
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe90⤵PID:6140
-
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe91⤵PID:5156
-
C:\Windows\SysWOW64\Iggocbke.exeC:\Windows\system32\Iggocbke.exe92⤵PID:5248
-
C:\Windows\SysWOW64\Idkpmgjo.exeC:\Windows\system32\Idkpmgjo.exe93⤵PID:5340
-
C:\Windows\SysWOW64\Ijhhenhf.exeC:\Windows\system32\Ijhhenhf.exe94⤵PID:5412
-
C:\Windows\SysWOW64\Iglhob32.exeC:\Windows\system32\Iglhob32.exe95⤵PID:5484
-
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe96⤵PID:5544
-
C:\Windows\SysWOW64\Imknli32.exeC:\Windows\system32\Imknli32.exe97⤵PID:5620
-
C:\Windows\SysWOW64\Ifcben32.exeC:\Windows\system32\Ifcben32.exe98⤵PID:5704
-
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe99⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe100⤵PID:5812
-
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe101⤵PID:5908
-
C:\Windows\SysWOW64\Jabiie32.exeC:\Windows\system32\Jabiie32.exe102⤵PID:5996
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe103⤵PID:6080
-
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe104⤵PID:3672
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe105⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe106⤵PID:5380
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe107⤵PID:5496
-
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe108⤵PID:5600
-
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe109⤵PID:5780
-
C:\Windows\SysWOW64\Lhogamih.exeC:\Windows\system32\Lhogamih.exe110⤵PID:5880
-
C:\Windows\SysWOW64\Lhadgmge.exeC:\Windows\system32\Lhadgmge.exe111⤵PID:5984
-
C:\Windows\SysWOW64\Mkgfdgpq.exeC:\Windows\system32\Mkgfdgpq.exe112⤵PID:4868
-
C:\Windows\SysWOW64\Mmhofbma.exeC:\Windows\system32\Mmhofbma.exe113⤵PID:5224
-
C:\Windows\SysWOW64\Mmjlkb32.exeC:\Windows\system32\Mmjlkb32.exe114⤵PID:5444
-
C:\Windows\SysWOW64\Moiheebb.exeC:\Windows\system32\Moiheebb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Ndfanlpi.exeC:\Windows\system32\Ndfanlpi.exe116⤵PID:5992
-
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe117⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Nkbfpeec.exeC:\Windows\system32\Nkbfpeec.exe118⤵PID:5560
-
C:\Windows\SysWOW64\Oacdmo32.exeC:\Windows\system32\Oacdmo32.exe119⤵PID:6044
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe120⤵PID:5372
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-