Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 00:53
Behavioral task
behavioral1
Sample
NEAS.e01ac90f161ec481159629b8d9a14970.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e01ac90f161ec481159629b8d9a14970.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e01ac90f161ec481159629b8d9a14970.exe
-
Size
445KB
-
MD5
e01ac90f161ec481159629b8d9a14970
-
SHA1
b2f007a027205d711d43209e98b45e7efec3ab3a
-
SHA256
05044ba7af0c8a7b2d37bc68b0d2c15ca21f5e3aa711964c2e56c1ced9cf642e
-
SHA512
56d683e1e15f17a8e97088c27633dc41c940888671d44f9540029b58fbd35ff335dc16e72ea0d489f24d32c330fdac2064026ee6c9e9e9c7456d995941f5b3f5
-
SSDEEP
12288:eApV6yYPMLnfBJKFbhDwBpV6yYP0riuoCgNbbko8JfSIuMUb1V4D0:PWMLnfBJKhVwBW0riuoCgNbbj8JfS1Mq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjphoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbljkca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokocmnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jognokdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipldpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbfoeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nchhfild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gechnpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncenga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihngboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihfpabbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cplckbmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mginniij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgfpdmho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efolidno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jahnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkdnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iecmhlhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgbhdkml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pimmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onklkhnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecmhlhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifoijonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Falcli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkqhpmkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmmfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idfkednq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Falcli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkqknci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpognhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odbgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hqjcgbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kanbjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Janghmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnhgidka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhkkfod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iokocmnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdffee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelhljaq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnennjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfoflj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbgmpcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfhmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jogeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfchjddj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koggehff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqopqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjmmfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfljfjpq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcgfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hafpiehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obccpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obeikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqpfknbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanffogf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022cf8-8.dat family_berbew behavioral2/files/0x0007000000022cf8-6.dat family_berbew behavioral2/files/0x000b000000022cf6-14.dat family_berbew behavioral2/files/0x000b000000022cf6-16.dat family_berbew behavioral2/files/0x0007000000022cfb-23.dat family_berbew behavioral2/files/0x0006000000022cfd-32.dat family_berbew behavioral2/files/0x0006000000022cfd-30.dat family_berbew behavioral2/files/0x0006000000022cff-38.dat family_berbew behavioral2/files/0x0006000000022cff-39.dat family_berbew behavioral2/files/0x0007000000022cfb-22.dat family_berbew behavioral2/files/0x0006000000022d01-46.dat family_berbew behavioral2/files/0x0006000000022d01-48.dat family_berbew behavioral2/files/0x0006000000022d03-56.dat family_berbew behavioral2/files/0x0006000000022d03-54.dat family_berbew behavioral2/files/0x0008000000022be3-64.dat family_berbew behavioral2/files/0x0008000000022be3-63.dat family_berbew behavioral2/files/0x0008000000022be3-58.dat family_berbew behavioral2/files/0x0006000000022d06-72.dat family_berbew behavioral2/files/0x0006000000022d06-71.dat family_berbew behavioral2/files/0x0006000000022d08-80.dat family_berbew behavioral2/files/0x0006000000022d08-79.dat family_berbew behavioral2/files/0x0006000000022d08-74.dat family_berbew behavioral2/files/0x0006000000022d0c-95.dat family_berbew behavioral2/files/0x0006000000022d0c-97.dat family_berbew behavioral2/files/0x0006000000022d0c-91.dat family_berbew behavioral2/files/0x0006000000022d0a-89.dat family_berbew behavioral2/files/0x0006000000022d0a-87.dat family_berbew behavioral2/files/0x0006000000022d0e-103.dat family_berbew behavioral2/files/0x0006000000022d0e-105.dat family_berbew behavioral2/files/0x0006000000022d10-111.dat family_berbew behavioral2/files/0x0006000000022d10-113.dat family_berbew behavioral2/files/0x0006000000022d12-121.dat family_berbew behavioral2/files/0x0006000000022d12-119.dat family_berbew behavioral2/files/0x0006000000022d14-128.dat family_berbew behavioral2/files/0x0006000000022d16-137.dat family_berbew behavioral2/files/0x0006000000022d16-135.dat family_berbew behavioral2/files/0x0006000000022d14-127.dat family_berbew behavioral2/files/0x0006000000022d18-144.dat family_berbew behavioral2/files/0x0006000000022d18-143.dat family_berbew behavioral2/files/0x0006000000022d1a-151.dat family_berbew behavioral2/files/0x0006000000022d1a-152.dat family_berbew behavioral2/files/0x0006000000022d1c-154.dat family_berbew behavioral2/files/0x0006000000022d1c-159.dat family_berbew behavioral2/files/0x0006000000022d20-167.dat family_berbew behavioral2/files/0x0006000000022d20-168.dat family_berbew behavioral2/files/0x0006000000022d22-177.dat family_berbew behavioral2/files/0x0006000000022d22-175.dat family_berbew behavioral2/files/0x0006000000022d24-183.dat family_berbew behavioral2/files/0x0006000000022d24-185.dat family_berbew behavioral2/files/0x0006000000022d26-186.dat family_berbew behavioral2/files/0x0006000000022d26-191.dat family_berbew behavioral2/files/0x0006000000022d26-193.dat family_berbew behavioral2/files/0x0006000000022d28-199.dat family_berbew behavioral2/files/0x0006000000022d28-200.dat family_berbew behavioral2/files/0x0006000000022d2a-207.dat family_berbew behavioral2/files/0x0006000000022d2a-209.dat family_berbew behavioral2/files/0x0006000000022d2c-215.dat family_berbew behavioral2/files/0x0006000000022d2c-216.dat family_berbew behavioral2/files/0x0006000000022d2e-218.dat family_berbew behavioral2/files/0x0006000000022d2e-223.dat family_berbew behavioral2/files/0x0006000000022d2e-224.dat family_berbew behavioral2/files/0x0006000000022d30-231.dat family_berbew behavioral2/files/0x0006000000022d30-232.dat family_berbew behavioral2/files/0x0006000000022d32-239.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3456 Hkohchko.exe 1332 Ijiopd32.exe 3824 Iecmhlhb.exe 4588 Janghmia.exe 2260 Jjgkab32.exe 3080 Jlidpe32.exe 4628 Khdoqefq.exe 1312 Lhmafcnf.exe 4656 Lknjhokg.exe 764 Mekdffee.exe 4528 Nchhfild.exe 2272 Okmpqjad.exe 4576 Obfhmd32.exe 4688 Pkmhgh32.exe 1508 Abcppq32.exe 1504 Albkieqj.exe 3516 Bclppboi.exe 4260 Bmddihfj.exe 1468 Bimach32.exe 2760 Cplckbmc.exe 2420 Dpllbp32.exe 1524 Egpgehnb.exe 2920 Elolco32.exe 4768 Fpfholhc.exe 3188 Hgpibdam.exe 3992 Ifoijonj.exe 3736 Iedbcebd.exe 5116 Jfhlpnfp.exe 1344 Jmdqbg32.exe 3320 Khonkogj.exe 3588 Khcgfo32.exe 4732 Knmpbi32.exe 1704 Kjdqhjpf.exe 3356 Lmgfod32.exe 4824 Leedqa32.exe 4028 Lkbmih32.exe 2400 Mginniij.exe 4804 Mhkgnkoj.exe 920 Mgbpdgap.exe 1580 Najagp32.exe 5024 Nhffijdm.exe 4232 Naaghoik.exe 116 Ohbfeh32.exe 2596 Pgaelcgm.exe 1796 Qkakhakq.exe 1144 Aokcjngj.exe 4524 Bfieagka.exe 3444 Cpklql32.exe 4512 Cnpibh32.exe 3120 Cldjkl32.exe 3092 Clffalkf.exe 4264 Dlicflic.exe 400 Dfngcdhi.exe 3424 Dhbqalle.exe 3548 Dlbfmjqi.exe 4200 Eoconenj.exe 4684 Ehnpmkbg.exe 2308 Efopjbjg.exe 636 Efampahd.exe 1396 Fplnogmb.exe 876 Fcmgpbjc.exe 2804 Fcodfa32.exe 3200 Fpcdof32.exe 2532 Fhnichde.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Okmpqjad.exe Nchhfild.exe File created C:\Windows\SysWOW64\Ddaljhid.dll Nbhkjicf.exe File opened for modification C:\Windows\SysWOW64\Egpgehnb.exe Dpllbp32.exe File opened for modification C:\Windows\SysWOW64\Jihngboe.exe Jgbhdkml.exe File opened for modification C:\Windows\SysWOW64\Pmefiakh.exe Pmbjcb32.exe File created C:\Windows\SysWOW64\Dngdfc32.dll Qfcjhphd.exe File opened for modification C:\Windows\SysWOW64\Hjkigojc.exe Habeni32.exe File created C:\Windows\SysWOW64\Nbfoeiei.exe Ncenga32.exe File created C:\Windows\SysWOW64\Janghmia.exe Iecmhlhb.exe File created C:\Windows\SysWOW64\Bcdqnmmm.dll Ghmbib32.exe File opened for modification C:\Windows\SysWOW64\Obccpj32.exe Oljkcpnb.exe File opened for modification C:\Windows\SysWOW64\Mqkijnkp.exe Mojmbf32.exe File created C:\Windows\SysWOW64\Pnqlfh32.dll Ncihbaie.exe File opened for modification C:\Windows\SysWOW64\Koceep32.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Nbpihgfg.dll Akdfndpd.exe File created C:\Windows\SysWOW64\Jddnah32.exe Jogeia32.exe File created C:\Windows\SysWOW64\Nphkadgc.dll Jahnkl32.exe File created C:\Windows\SysWOW64\Koceep32.exe Jdiglgbg.exe File created C:\Windows\SysWOW64\Fdmlgcnh.dll Cngnbfid.exe File created C:\Windows\SysWOW64\Lennjaej.dll Iedbcebd.exe File created C:\Windows\SysWOW64\Jbgkhjeo.dll Iokocmnf.exe File opened for modification C:\Windows\SysWOW64\Jondojna.exe Jmnheggo.exe File created C:\Windows\SysWOW64\Gcbnjh32.dll Lmkipncc.exe File created C:\Windows\SysWOW64\Fdmepl32.dll Enfjdh32.exe File created C:\Windows\SysWOW64\Jogeia32.exe Inhion32.exe File opened for modification C:\Windows\SysWOW64\Qfanbpjg.exe Pimmil32.exe File opened for modification C:\Windows\SysWOW64\Cngnbfid.exe Ccajdmin.exe File opened for modification C:\Windows\SysWOW64\Booaii32.exe Blnhgn32.exe File opened for modification C:\Windows\SysWOW64\Gfedfk32.exe Gmmome32.exe File created C:\Windows\SysWOW64\Fceihh32.exe Fmkqknci.exe File created C:\Windows\SysWOW64\Hjfplo32.exe Hdlhoefk.exe File created C:\Windows\SysWOW64\Dgdeikmo.dll Mqimdomb.exe File opened for modification C:\Windows\SysWOW64\Godehbed.exe Fhonpi32.exe File opened for modification C:\Windows\SysWOW64\Gbgkpm32.exe Gmkbgf32.exe File created C:\Windows\SysWOW64\Kpqlaa32.dll Hapancai.exe File opened for modification C:\Windows\SysWOW64\Cnpibh32.exe Cpklql32.exe File created C:\Windows\SysWOW64\Dfngcdhi.exe Dlicflic.exe File created C:\Windows\SysWOW64\Efampahd.exe Efopjbjg.exe File opened for modification C:\Windows\SysWOW64\Pmfldkei.exe Pbahgbfc.exe File created C:\Windows\SysWOW64\Kekdfb32.dll Acaanp32.exe File created C:\Windows\SysWOW64\Ffhnocfd.exe Fakfglhm.exe File created C:\Windows\SysWOW64\Pigfha32.dll Gmkbgf32.exe File created C:\Windows\SysWOW64\Kbapdfkb.exe Kkfkod32.exe File created C:\Windows\SysWOW64\Khmoionj.exe Knhkkfod.exe File created C:\Windows\SysWOW64\Booaii32.exe Blnhgn32.exe File created C:\Windows\SysWOW64\Ikhghi32.exe Iibaeb32.exe File opened for modification C:\Windows\SysWOW64\Gdaonmdd.exe Fjikeg32.exe File created C:\Windows\SysWOW64\Hchbkneg.dll Algiaepd.exe File created C:\Windows\SysWOW64\Efnennjc.exe Elepei32.exe File opened for modification C:\Windows\SysWOW64\Efampahd.exe Efopjbjg.exe File created C:\Windows\SysWOW64\Ihmnldib.exe Imfmgcdn.exe File created C:\Windows\SysWOW64\Fjfnphpf.exe Fhchhm32.exe File created C:\Windows\SysWOW64\Ojmpkc32.dll Hdlhoefk.exe File created C:\Windows\SysWOW64\Eoconenj.exe Dlbfmjqi.exe File opened for modification C:\Windows\SysWOW64\Mikepg32.exe Mbamcm32.exe File created C:\Windows\SysWOW64\Hnkphffo.dll Pcdlghgl.exe File created C:\Windows\SysWOW64\Alcfpm32.exe Agfnhf32.exe File created C:\Windows\SysWOW64\Qfanbpjg.exe Pimmil32.exe File opened for modification C:\Windows\SysWOW64\Dgieajgj.exe Dnqaheai.exe File opened for modification C:\Windows\SysWOW64\Fnjmea32.exe Fceihh32.exe File opened for modification C:\Windows\SysWOW64\Hkohchko.exe NEAS.e01ac90f161ec481159629b8d9a14970.exe File created C:\Windows\SysWOW64\Qpboqfjk.dll Aphegjhc.exe File created C:\Windows\SysWOW64\Heefek32.dll Plgpjhnf.exe File opened for modification C:\Windows\SysWOW64\Gaibhj32.exe Gfcnka32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9148 2724 WerFault.exe 528 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnqeip32.dll" Mgbpdgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hafpiehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkjhae32.dll" Pllppnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amddeq32.dll" Dfeibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fceihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojdcfae.dll" Dllmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijiopd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Febogbhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlpcpffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hchbkneg.dll" Algiaepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pinpojcj.dll" Iibaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Algiaepd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfeibf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfljfjpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkbmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nchhfild.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfieagka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphljg32.dll" Glmqjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqlaa32.dll" Hapancai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbcildbi.dll" Ngbgmpcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekekpd32.dll" Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kadnfkji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dgieajgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aphegjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiffij32.dll" Kjdqhjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekijfnm.dll" Koiejemn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnonhdl.dll" Llpofd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oelhljaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoalnm32.dll" Ndpafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchfjc32.dll" Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gogjflhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hifaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpfmji.dll" Egoomnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjikeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhojqcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ionlhlld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ififkj32.dll" Lkldlgok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfhlpnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiodlkh.dll" Mncmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpanmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkhmakf.dll" Jplmglbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcpjnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akdfndpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpboqfjk.dll" Aphegjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndaj32.dll" Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqimdomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghmbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeogjckh.dll" Dfclmfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blnhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jinloboo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnafl32.dll" Ncenga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.e01ac90f161ec481159629b8d9a14970.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkljdjj.dll" Mihikgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpenokc.dll" Eqpfknbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnemc32.dll" Mddbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlhjjnc.dll" Jlidpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhqicgm.dll" Jknocljn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 3456 1208 NEAS.e01ac90f161ec481159629b8d9a14970.exe 93 PID 1208 wrote to memory of 3456 1208 NEAS.e01ac90f161ec481159629b8d9a14970.exe 93 PID 1208 wrote to memory of 3456 1208 NEAS.e01ac90f161ec481159629b8d9a14970.exe 93 PID 3456 wrote to memory of 1332 3456 Hkohchko.exe 94 PID 3456 wrote to memory of 1332 3456 Hkohchko.exe 94 PID 3456 wrote to memory of 1332 3456 Hkohchko.exe 94 PID 1332 wrote to memory of 3824 1332 Ijiopd32.exe 97 PID 1332 wrote to memory of 3824 1332 Ijiopd32.exe 97 PID 1332 wrote to memory of 3824 1332 Ijiopd32.exe 97 PID 3824 wrote to memory of 4588 3824 Iecmhlhb.exe 95 PID 3824 wrote to memory of 4588 3824 Iecmhlhb.exe 95 PID 3824 wrote to memory of 4588 3824 Iecmhlhb.exe 95 PID 4588 wrote to memory of 2260 4588 Janghmia.exe 96 PID 4588 wrote to memory of 2260 4588 Janghmia.exe 96 PID 4588 wrote to memory of 2260 4588 Janghmia.exe 96 PID 2260 wrote to memory of 3080 2260 Jjgkab32.exe 98 PID 2260 wrote to memory of 3080 2260 Jjgkab32.exe 98 PID 2260 wrote to memory of 3080 2260 Jjgkab32.exe 98 PID 3080 wrote to memory of 4628 3080 Jlidpe32.exe 99 PID 3080 wrote to memory of 4628 3080 Jlidpe32.exe 99 PID 3080 wrote to memory of 4628 3080 Jlidpe32.exe 99 PID 4628 wrote to memory of 1312 4628 Khdoqefq.exe 100 PID 4628 wrote to memory of 1312 4628 Khdoqefq.exe 100 PID 4628 wrote to memory of 1312 4628 Khdoqefq.exe 100 PID 1312 wrote to memory of 4656 1312 Lhmafcnf.exe 101 PID 1312 wrote to memory of 4656 1312 Lhmafcnf.exe 101 PID 1312 wrote to memory of 4656 1312 Lhmafcnf.exe 101 PID 4656 wrote to memory of 764 4656 Lknjhokg.exe 102 PID 4656 wrote to memory of 764 4656 Lknjhokg.exe 102 PID 4656 wrote to memory of 764 4656 Lknjhokg.exe 102 PID 764 wrote to memory of 4528 764 Mekdffee.exe 104 PID 764 wrote to memory of 4528 764 Mekdffee.exe 104 PID 764 wrote to memory of 4528 764 Mekdffee.exe 104 PID 4528 wrote to memory of 2272 4528 Nchhfild.exe 103 PID 4528 wrote to memory of 2272 4528 Nchhfild.exe 103 PID 4528 wrote to memory of 2272 4528 Nchhfild.exe 103 PID 2272 wrote to memory of 4576 2272 Okmpqjad.exe 105 PID 2272 wrote to memory of 4576 2272 Okmpqjad.exe 105 PID 2272 wrote to memory of 4576 2272 Okmpqjad.exe 105 PID 4576 wrote to memory of 4688 4576 Obfhmd32.exe 106 PID 4576 wrote to memory of 4688 4576 Obfhmd32.exe 106 PID 4576 wrote to memory of 4688 4576 Obfhmd32.exe 106 PID 4688 wrote to memory of 1508 4688 Pkmhgh32.exe 107 PID 4688 wrote to memory of 1508 4688 Pkmhgh32.exe 107 PID 4688 wrote to memory of 1508 4688 Pkmhgh32.exe 107 PID 1508 wrote to memory of 1504 1508 Abcppq32.exe 109 PID 1508 wrote to memory of 1504 1508 Abcppq32.exe 109 PID 1508 wrote to memory of 1504 1508 Abcppq32.exe 109 PID 1504 wrote to memory of 3516 1504 Albkieqj.exe 108 PID 1504 wrote to memory of 3516 1504 Albkieqj.exe 108 PID 1504 wrote to memory of 3516 1504 Albkieqj.exe 108 PID 3516 wrote to memory of 4260 3516 Bclppboi.exe 110 PID 3516 wrote to memory of 4260 3516 Bclppboi.exe 110 PID 3516 wrote to memory of 4260 3516 Bclppboi.exe 110 PID 4260 wrote to memory of 1468 4260 Bmddihfj.exe 111 PID 4260 wrote to memory of 1468 4260 Bmddihfj.exe 111 PID 4260 wrote to memory of 1468 4260 Bmddihfj.exe 111 PID 1468 wrote to memory of 2760 1468 Bimach32.exe 112 PID 1468 wrote to memory of 2760 1468 Bimach32.exe 112 PID 1468 wrote to memory of 2760 1468 Bimach32.exe 112 PID 1196 wrote to memory of 2420 1196 Dipgpf32.exe 114 PID 1196 wrote to memory of 2420 1196 Dipgpf32.exe 114 PID 1196 wrote to memory of 2420 1196 Dipgpf32.exe 114 PID 2420 wrote to memory of 1524 2420 Dpllbp32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e01ac90f161ec481159629b8d9a14970.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e01ac90f161ec481159629b8d9a14970.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Hkohchko.exeC:\Windows\system32\Hkohchko.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3824
-
-
-
-
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Jjgkab32.exeC:\Windows\system32\Jjgkab32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Jlidpe32.exeC:\Windows\system32\Jlidpe32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Khdoqefq.exeC:\Windows\system32\Khdoqefq.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Lhmafcnf.exeC:\Windows\system32\Lhmafcnf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Lknjhokg.exeC:\Windows\system32\Lknjhokg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Okmpqjad.exeC:\Windows\system32\Okmpqjad.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504
-
-
-
-
-
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Bimach32.exeC:\Windows\system32\Bimach32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe5⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe7⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe8⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe9⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe10⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Iedbcebd.exeC:\Windows\system32\Iedbcebd.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Jfhlpnfp.exeC:\Windows\system32\Jfhlpnfp.exe13⤵
- Executes dropped EXE
- Modifies registry class
PID:5116 -
C:\Windows\SysWOW64\Jmdqbg32.exeC:\Windows\system32\Jmdqbg32.exe14⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe15⤵
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Knmpbi32.exeC:\Windows\system32\Knmpbi32.exe17⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Lmgfod32.exeC:\Windows\system32\Lmgfod32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Leedqa32.exeC:\Windows\system32\Leedqa32.exe20⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:4028 -
C:\Windows\SysWOW64\Mginniij.exeC:\Windows\system32\Mginniij.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe23⤵
- Executes dropped EXE
PID:4804 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Najagp32.exeC:\Windows\system32\Najagp32.exe25⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe26⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Naaghoik.exeC:\Windows\system32\Naaghoik.exe27⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe28⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Pgaelcgm.exeC:\Windows\system32\Pgaelcgm.exe29⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Qkakhakq.exeC:\Windows\system32\Qkakhakq.exe30⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Aokcjngj.exeC:\Windows\system32\Aokcjngj.exe31⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:4524 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3444 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe34⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe35⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Clffalkf.exeC:\Windows\system32\Clffalkf.exe36⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Dlicflic.exeC:\Windows\system32\Dlicflic.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4264 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe38⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Dhbqalle.exeC:\Windows\system32\Dhbqalle.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Dlbfmjqi.exeC:\Windows\system32\Dlbfmjqi.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Eoconenj.exeC:\Windows\system32\Eoconenj.exe41⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe42⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Efopjbjg.exeC:\Windows\system32\Efopjbjg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe44⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe45⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Fcmgpbjc.exeC:\Windows\system32\Fcmgpbjc.exe46⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fcodfa32.exeC:\Windows\system32\Fcodfa32.exe47⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe48⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe49⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe50⤵PID:1292
-
C:\Windows\SysWOW64\Hgpbhmna.exeC:\Windows\system32\Hgpbhmna.exe51⤵PID:1996
-
C:\Windows\SysWOW64\Hqjcgbbo.exeC:\Windows\system32\Hqjcgbbo.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Hhehkepj.exeC:\Windows\system32\Hhehkepj.exe53⤵PID:2496
-
C:\Windows\SysWOW64\Ihheqd32.exeC:\Windows\system32\Ihheqd32.exe54⤵PID:4936
-
C:\Windows\SysWOW64\Imfmgcdn.exeC:\Windows\system32\Imfmgcdn.exe55⤵
- Drops file in System32 directory
PID:3492 -
C:\Windows\SysWOW64\Ihmnldib.exeC:\Windows\system32\Ihmnldib.exe56⤵PID:2256
-
C:\Windows\SysWOW64\Icdoolge.exeC:\Windows\system32\Icdoolge.exe57⤵PID:4496
-
C:\Windows\SysWOW64\Jmmcgbnf.exeC:\Windows\system32\Jmmcgbnf.exe58⤵PID:3452
-
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3876 -
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4412 -
C:\Windows\SysWOW64\Jginej32.exeC:\Windows\system32\Jginej32.exe61⤵PID:3228
-
C:\Windows\SysWOW64\Jmffnq32.exeC:\Windows\system32\Jmffnq32.exe62⤵PID:2844
-
C:\Windows\SysWOW64\Kiodha32.exeC:\Windows\system32\Kiodha32.exe63⤵PID:3840
-
C:\Windows\SysWOW64\Kgcqlh32.exeC:\Windows\system32\Kgcqlh32.exe64⤵PID:3404
-
C:\Windows\SysWOW64\Kidmcqeg.exeC:\Windows\system32\Kidmcqeg.exe65⤵PID:4704
-
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe67⤵PID:3836
-
C:\Windows\SysWOW64\Lmiljn32.exeC:\Windows\system32\Lmiljn32.exe68⤵PID:5164
-
C:\Windows\SysWOW64\Lccdghmc.exeC:\Windows\system32\Lccdghmc.exe69⤵PID:5204
-
C:\Windows\SysWOW64\Lmkipncc.exeC:\Windows\system32\Lmkipncc.exe70⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe71⤵PID:5292
-
C:\Windows\SysWOW64\Lmneemaq.exeC:\Windows\system32\Lmneemaq.exe72⤵PID:5332
-
C:\Windows\SysWOW64\Mffjnc32.exeC:\Windows\system32\Mffjnc32.exe73⤵PID:5384
-
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe74⤵PID:5424
-
C:\Windows\SysWOW64\Migcpneb.exeC:\Windows\system32\Migcpneb.exe75⤵PID:5476
-
C:\Windows\SysWOW64\Mfkcibdl.exeC:\Windows\system32\Mfkcibdl.exe76⤵PID:5520
-
C:\Windows\SysWOW64\Nipffmmg.exeC:\Windows\system32\Nipffmmg.exe77⤵PID:5560
-
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe79⤵PID:5652
-
C:\Windows\SysWOW64\Ngipjp32.exeC:\Windows\system32\Ngipjp32.exe80⤵PID:5696
-
C:\Windows\SysWOW64\Oahgnh32.exeC:\Windows\system32\Oahgnh32.exe81⤵PID:5740
-
C:\Windows\SysWOW64\Ohaokbfd.exeC:\Windows\system32\Ohaokbfd.exe82⤵PID:5788
-
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe83⤵PID:5836
-
C:\Windows\SysWOW64\Qhddgofo.exeC:\Windows\system32\Qhddgofo.exe84⤵PID:5876
-
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe85⤵PID:5924
-
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe86⤵PID:5968
-
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe87⤵PID:6040
-
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe88⤵PID:6088
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe89⤵PID:6128
-
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe91⤵PID:5196
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe92⤵PID:5276
-
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe93⤵PID:5352
-
C:\Windows\SysWOW64\Facjlhil.exeC:\Windows\system32\Facjlhil.exe94⤵PID:5412
-
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Gogjflhf.exeC:\Windows\system32\Gogjflhf.exe96⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe97⤵PID:5628
-
C:\Windows\SysWOW64\Gedohfmp.exeC:\Windows\system32\Gedohfmp.exe98⤵PID:5684
-
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe100⤵PID:5820
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe101⤵PID:5884
-
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe102⤵PID:5952
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe103⤵
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe104⤵
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Hafpiehg.exeC:\Windows\system32\Hafpiehg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe106⤵PID:936
-
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe108⤵PID:5272
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe109⤵PID:5444
-
C:\Windows\SysWOW64\Jkfcigkm.exeC:\Windows\system32\Jkfcigkm.exe110⤵PID:5556
-
C:\Windows\SysWOW64\Koiejemn.exeC:\Windows\system32\Koiejemn.exe111⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe112⤵PID:5752
-
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe113⤵PID:5860
-
C:\Windows\SysWOW64\Llpofd32.exeC:\Windows\system32\Llpofd32.exe114⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Miflehaf.exeC:\Windows\system32\Miflehaf.exe115⤵PID:1416
-
C:\Windows\SysWOW64\Mclpbqal.exeC:\Windows\system32\Mclpbqal.exe116⤵PID:6112
-
C:\Windows\SysWOW64\Mihikgod.exeC:\Windows\system32\Mihikgod.exe117⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Mbamcm32.exeC:\Windows\system32\Mbamcm32.exe118⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe119⤵PID:4140
-
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe120⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Mjjbjjdd.exeC:\Windows\system32\Mjjbjjdd.exe121⤵PID:4588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-