Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 20:32
Behavioral task
behavioral1
Sample
2769a462097b1498962013ea66fd6970_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2769a462097b1498962013ea66fd6970_NEIKI.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
2769a462097b1498962013ea66fd6970_NEIKI.exe
-
Size
276KB
-
MD5
2769a462097b1498962013ea66fd6970
-
SHA1
e44da8ca18ca0aae82e1283007fbd92eb3762d84
-
SHA256
82c8a11b5a901938b462c6760648fde12e1918c387092ba1d9589b5f7bf692a1
-
SHA512
39c394aa68b41b58912cbd6faf936d23770b6d74dac736707813d623d49dd6541c973aa97ec8cf089118a709ab02babce489667a881291dc14cb362ee163a48a
-
SSDEEP
6144:xkrZV2/IuORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCK9:irZV4ER+pMUQunbpd/mF6ECJlzxAKN2x
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfopdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdmjamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfmej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcodqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhckfkbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkfqind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iboghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpgfbom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpaic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npkdnnfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilkpac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiakgcnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecoihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmfgkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mijamjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfopdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdjaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjmoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlfjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhkfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegdcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efkbdbai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoeki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpimbcnf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001445e-5.dat family_berbew behavioral1/files/0x0009000000014c67-18.dat family_berbew behavioral1/files/0x0007000000014ec4-32.dat family_berbew behavioral1/files/0x0009000000015264-47.dat family_berbew behavioral1/files/0x0006000000016ccf-64.dat family_berbew behavioral1/files/0x000e000000014a94-82.dat family_berbew behavioral1/files/0x0006000000016d01-93.dat family_berbew behavioral1/files/0x0006000000016d24-105.dat family_berbew behavioral1/files/0x0006000000016d41-117.dat family_berbew behavioral1/files/0x0006000000016d4f-138.dat family_berbew behavioral1/files/0x0006000000016d84-145.dat family_berbew behavioral1/files/0x0006000000016e56-166.dat family_berbew behavioral1/files/0x0006000000017090-175.dat family_berbew behavioral1/files/0x0005000000018698-188.dat family_berbew behavioral1/files/0x0006000000018ae2-206.dat family_berbew behavioral1/files/0x0006000000018b15-215.dat family_berbew behavioral1/files/0x0006000000018b37-229.dat family_berbew behavioral1/files/0x0006000000018b4a-239.dat family_berbew behavioral1/files/0x0006000000018b73-247.dat family_berbew behavioral1/files/0x0006000000018ba2-260.dat family_berbew behavioral1/files/0x00050000000192c9-267.dat family_berbew behavioral1/files/0x000500000001931b-278.dat family_berbew behavioral1/files/0x0005000000019368-286.dat family_berbew behavioral1/files/0x000500000001939b-296.dat family_berbew behavioral1/files/0x0005000000019410-307.dat family_berbew behavioral1/files/0x000500000001946f-318.dat family_berbew behavioral1/files/0x0005000000019485-329.dat family_berbew behavioral1/files/0x00040000000194d6-340.dat family_berbew behavioral1/memory/1728-348-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00040000000194dc-351.dat family_berbew behavioral1/memory/2012-354-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/memory/2012-355-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00050000000194ea-363.dat family_berbew behavioral1/files/0x00050000000194ef-373.dat family_berbew behavioral1/files/0x00050000000194f4-384.dat family_berbew behavioral1/memory/2548-387-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x0005000000019521-396.dat family_berbew behavioral1/files/0x0005000000019570-407.dat family_berbew behavioral1/files/0x000500000001959e-416.dat family_berbew behavioral1/memory/1640-427-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x00050000000195a4-428.dat family_berbew behavioral1/files/0x00050000000195a7-438.dat family_berbew behavioral1/files/0x00050000000195a9-451.dat family_berbew behavioral1/memory/2644-453-0x00000000001B0000-0x00000000001E4000-memory.dmp family_berbew behavioral1/memory/2644-452-0x00000000001B0000-0x00000000001E4000-memory.dmp family_berbew behavioral1/files/0x00050000000195ba-460.dat family_berbew behavioral1/files/0x0005000000019646-471.dat family_berbew behavioral1/files/0x000500000001996e-481.dat family_berbew behavioral1/files/0x0005000000019bd7-493.dat family_berbew behavioral1/files/0x0005000000019bef-501.dat family_berbew behavioral1/files/0x0005000000019ce6-513.dat family_berbew behavioral1/files/0x0005000000019d59-528.dat family_berbew behavioral1/files/0x0005000000019f60-538.dat family_berbew behavioral1/files/0x000500000001a013-549.dat family_berbew behavioral1/files/0x000500000001a2d0-561.dat family_berbew behavioral1/files/0x000500000001a3c2-570.dat family_berbew behavioral1/files/0x000500000001a3c8-580.dat family_berbew behavioral1/files/0x000500000001a3d4-592.dat family_berbew behavioral1/files/0x000500000001a429-603.dat family_berbew behavioral1/files/0x000500000001a431-615.dat family_berbew behavioral1/files/0x000500000001a43b-630.dat family_berbew behavioral1/files/0x000500000001a443-640.dat family_berbew behavioral1/files/0x000500000001a447-653.dat family_berbew behavioral1/files/0x000500000001a44b-664.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1876 Lklejh32.exe 2524 Meicnm32.exe 2936 Mikhgqbi.exe 2404 Mmhamoho.exe 2384 Nhdocl32.exe 2824 Nkhdkgnj.exe 1716 Nkjapglg.exe 1216 Oiakgcnl.exe 2704 Oidglb32.exe 2128 Ohidmoaa.exe 1476 Olgmcmgh.exe 2016 Pahogc32.exe 1624 Pjcckf32.exe 1140 Pqphnp32.exe 2228 Qqdbiopj.exe 1780 Abhkfg32.exe 2924 Akqpom32.exe 3020 Aekqmbod.exe 1792 Ajhiei32.exe 776 Akhfoldn.exe 1536 Bepjha32.exe 2628 Bgqcjlhp.exe 624 Baigca32.exe 1980 Bjallg32.exe 2752 Ckolek32.exe 2044 Cmpdgf32.exe 1728 Cmbalfem.exe 2012 Diibag32.exe 2900 Depbfhpe.exe 2500 Dgoopkgh.exe 2548 Dhbhmb32.exe 2396 Degiggjm.exe 1712 Ehgbhbgn.exe 2360 Eabcggll.exe 1640 Eccpoo32.exe 2468 Edclib32.exe 2644 Fgcejm32.exe 2288 Fkejcq32.exe 1672 Fhikme32.exe 1612 Fgohna32.exe 612 Fdbhge32.exe 2040 Geeemeif.exe 820 Gnmifk32.exe 2896 Gfhnjm32.exe 2220 Gghkdp32.exe 3032 Gpcoib32.exe 1168 Gmgpbf32.exe 1544 Gbdhjm32.exe 2796 Hnkion32.exe 1056 Hloiib32.exe 2868 Hhejnc32.exe 1512 Heikgh32.exe 1720 Hapklimq.exe 1708 Hmglajcd.exe 2908 Ipehmebh.exe 2816 Idcacc32.exe 2380 Ipjahd32.exe 2432 Imnbbi32.exe 556 Ieigfk32.exe 2840 Ioakoq32.exe 1196 Jkhldafl.exe 1296 Jbpdeogo.exe 2708 Jhlmmfef.exe 2728 Jgaiobjn.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 1876 Lklejh32.exe 1876 Lklejh32.exe 2524 Meicnm32.exe 2524 Meicnm32.exe 2936 Mikhgqbi.exe 2936 Mikhgqbi.exe 2404 Mmhamoho.exe 2404 Mmhamoho.exe 2384 Nhdocl32.exe 2384 Nhdocl32.exe 2824 Nkhdkgnj.exe 2824 Nkhdkgnj.exe 1716 Nkjapglg.exe 1716 Nkjapglg.exe 1216 Oiakgcnl.exe 1216 Oiakgcnl.exe 2704 Oidglb32.exe 2704 Oidglb32.exe 2128 Ohidmoaa.exe 2128 Ohidmoaa.exe 1476 Olgmcmgh.exe 1476 Olgmcmgh.exe 2016 Pahogc32.exe 2016 Pahogc32.exe 1624 Pjcckf32.exe 1624 Pjcckf32.exe 1140 Pqphnp32.exe 1140 Pqphnp32.exe 2228 Qqdbiopj.exe 2228 Qqdbiopj.exe 1780 Abhkfg32.exe 1780 Abhkfg32.exe 2924 Akqpom32.exe 2924 Akqpom32.exe 3020 Aekqmbod.exe 3020 Aekqmbod.exe 1792 Ajhiei32.exe 1792 Ajhiei32.exe 776 Akhfoldn.exe 776 Akhfoldn.exe 1536 Bepjha32.exe 1536 Bepjha32.exe 2628 Bgqcjlhp.exe 2628 Bgqcjlhp.exe 624 Baigca32.exe 624 Baigca32.exe 1980 Bjallg32.exe 1980 Bjallg32.exe 2752 Ckolek32.exe 2752 Ckolek32.exe 2044 Cmpdgf32.exe 2044 Cmpdgf32.exe 1728 Cmbalfem.exe 1728 Cmbalfem.exe 2012 Diibag32.exe 2012 Diibag32.exe 2900 Depbfhpe.exe 2900 Depbfhpe.exe 2500 Dgoopkgh.exe 2500 Dgoopkgh.exe 2548 Dhbhmb32.exe 2548 Dhbhmb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mlionk32.dll Iimfld32.exe File created C:\Windows\SysWOW64\Iampng32.dll Eppefg32.exe File created C:\Windows\SysWOW64\Lbpbbd32.dll Cnnimkom.exe File opened for modification C:\Windows\SysWOW64\Bafhff32.exe Boeoek32.exe File created C:\Windows\SysWOW64\Kfacdqhf.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Oabplobe.exe Opccallb.exe File created C:\Windows\SysWOW64\Dnfjiali.exe Doamhe32.exe File opened for modification C:\Windows\SysWOW64\Hhejnc32.exe Hloiib32.exe File opened for modification C:\Windows\SysWOW64\Phfmllbd.exe Pciddedl.exe File created C:\Windows\SysWOW64\Mhkfeeek.dll Bdhleh32.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Aljmbknm.exe Abbhje32.exe File opened for modification C:\Windows\SysWOW64\Fbpfeh32.exe Fihalb32.exe File opened for modification C:\Windows\SysWOW64\Lklejh32.exe 2769a462097b1498962013ea66fd6970_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Nkhdkgnj.exe Nhdocl32.exe File created C:\Windows\SysWOW64\Gkalhgfd.exe Gnnlocgk.exe File created C:\Windows\SysWOW64\Gbccnjjb.dll Gnnlocgk.exe File created C:\Windows\SysWOW64\Efoifiep.exe Emgdmc32.exe File created C:\Windows\SysWOW64\Neblqoel.exe Nohddd32.exe File created C:\Windows\SysWOW64\Jgbmco32.exe Jjnlikic.exe File created C:\Windows\SysWOW64\Cobcakeo.dll Lmckeidj.exe File created C:\Windows\SysWOW64\Jhmdfm32.dll Gefolhja.exe File opened for modification C:\Windows\SysWOW64\Ipjahd32.exe Idcacc32.exe File created C:\Windows\SysWOW64\Hfodmhbk.exe Habkeacd.exe File created C:\Windows\SysWOW64\Ibcphc32.exe Iikkon32.exe File created C:\Windows\SysWOW64\Cpoodc32.dll Mgbcfdmo.exe File created C:\Windows\SysWOW64\Pmmqmpdm.exe Pfchqf32.exe File created C:\Windows\SysWOW64\Nmihol32.dll Innbde32.exe File opened for modification C:\Windows\SysWOW64\Gghkdp32.exe Gfhnjm32.exe File created C:\Windows\SysWOW64\Jckgicnp.exe Jaijak32.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Hkiicmdh.exe File created C:\Windows\SysWOW64\Nlilqbgp.exe Npbklabl.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Ooidei32.exe Oddphp32.exe File opened for modification C:\Windows\SysWOW64\Dhdfmbjc.exe Ccgnelll.exe File created C:\Windows\SysWOW64\Mpqjmh32.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Ekbcekpd.dll Ojdjqp32.exe File created C:\Windows\SysWOW64\Oiakgcnl.exe Nkjapglg.exe File created C:\Windows\SysWOW64\Obdojcef.exe Noffdd32.exe File created C:\Windows\SysWOW64\Jimbkh32.exe Jbqmhnbo.exe File created C:\Windows\SysWOW64\Jnpojnle.dll Pmehdh32.exe File created C:\Windows\SysWOW64\Kgdgpfnf.exe Jjpgfbom.exe File opened for modification C:\Windows\SysWOW64\Glbdnbpk.exe Gbjpem32.exe File opened for modification C:\Windows\SysWOW64\Mikhgqbi.exe Meicnm32.exe File created C:\Windows\SysWOW64\Fkejcq32.exe Fgcejm32.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Diidjpbe.exe File created C:\Windows\SysWOW64\Kjcijlpq.dll Hnkdnqhm.exe File created C:\Windows\SysWOW64\Fqkieogp.exe Fdehpn32.exe File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Jjmfenoo.dll Fpdkpiik.exe File opened for modification C:\Windows\SysWOW64\Dnckki32.exe Dfhgggim.exe File opened for modification C:\Windows\SysWOW64\Gbhbdi32.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Oefjdgjk.exe Olmela32.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Ghbljk32.exe File opened for modification C:\Windows\SysWOW64\Lpqlemaj.exe Lifcib32.exe File created C:\Windows\SysWOW64\Ifhgcgjq.exe Ioaobjin.exe File created C:\Windows\SysWOW64\Lmoogf32.dll Nfdkoc32.exe File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Njchfc32.exe File created C:\Windows\SysWOW64\Cccdlddl.dll Lenffl32.exe File created C:\Windows\SysWOW64\Didlfg32.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Lmkibjgj.dll Geeemeif.exe File opened for modification C:\Windows\SysWOW64\Dhckfkbh.exe Dbfbnddq.exe File created C:\Windows\SysWOW64\Iddiakkl.dll Hjaeba32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1644 1468 WerFault.exe 822 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcgndfi.dll" Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknmeacn.dll" Mpnkopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcepgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addhcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcqebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jckgicnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpppjikm.dll" Palbgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfgkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfbjp32.dll" Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Fpdkpiik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcnch32.dll" Hfnkji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mijamjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hafbghhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gefolhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miiofn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imienpig.dll" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnckp32.dll" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aicfgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgfheodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikapk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhdocl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igoomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgnelll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbfnchfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjmoace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnkopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ionehnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnfjpai.dll" Pkepnalk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1876 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 28 PID 2248 wrote to memory of 1876 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 28 PID 2248 wrote to memory of 1876 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 28 PID 2248 wrote to memory of 1876 2248 2769a462097b1498962013ea66fd6970_NEIKI.exe 28 PID 1876 wrote to memory of 2524 1876 Lklejh32.exe 29 PID 1876 wrote to memory of 2524 1876 Lklejh32.exe 29 PID 1876 wrote to memory of 2524 1876 Lklejh32.exe 29 PID 1876 wrote to memory of 2524 1876 Lklejh32.exe 29 PID 2524 wrote to memory of 2936 2524 Meicnm32.exe 30 PID 2524 wrote to memory of 2936 2524 Meicnm32.exe 30 PID 2524 wrote to memory of 2936 2524 Meicnm32.exe 30 PID 2524 wrote to memory of 2936 2524 Meicnm32.exe 30 PID 2936 wrote to memory of 2404 2936 Mikhgqbi.exe 31 PID 2936 wrote to memory of 2404 2936 Mikhgqbi.exe 31 PID 2936 wrote to memory of 2404 2936 Mikhgqbi.exe 31 PID 2936 wrote to memory of 2404 2936 Mikhgqbi.exe 31 PID 2404 wrote to memory of 2384 2404 Mmhamoho.exe 32 PID 2404 wrote to memory of 2384 2404 Mmhamoho.exe 32 PID 2404 wrote to memory of 2384 2404 Mmhamoho.exe 32 PID 2404 wrote to memory of 2384 2404 Mmhamoho.exe 32 PID 2384 wrote to memory of 2824 2384 Nhdocl32.exe 33 PID 2384 wrote to memory of 2824 2384 Nhdocl32.exe 33 PID 2384 wrote to memory of 2824 2384 Nhdocl32.exe 33 PID 2384 wrote to memory of 2824 2384 Nhdocl32.exe 33 PID 2824 wrote to memory of 1716 2824 Nkhdkgnj.exe 34 PID 2824 wrote to memory of 1716 2824 Nkhdkgnj.exe 34 PID 2824 wrote to memory of 1716 2824 Nkhdkgnj.exe 34 PID 2824 wrote to memory of 1716 2824 Nkhdkgnj.exe 34 PID 1716 wrote to memory of 1216 1716 Nkjapglg.exe 35 PID 1716 wrote to memory of 1216 1716 Nkjapglg.exe 35 PID 1716 wrote to memory of 1216 1716 Nkjapglg.exe 35 PID 1716 wrote to memory of 1216 1716 Nkjapglg.exe 35 PID 1216 wrote to memory of 2704 1216 Oiakgcnl.exe 36 PID 1216 wrote to memory of 2704 1216 Oiakgcnl.exe 36 PID 1216 wrote to memory of 2704 1216 Oiakgcnl.exe 36 PID 1216 wrote to memory of 2704 1216 Oiakgcnl.exe 36 PID 2704 wrote to memory of 2128 2704 Oidglb32.exe 37 PID 2704 wrote to memory of 2128 2704 Oidglb32.exe 37 PID 2704 wrote to memory of 2128 2704 Oidglb32.exe 37 PID 2704 wrote to memory of 2128 2704 Oidglb32.exe 37 PID 2128 wrote to memory of 1476 2128 Ohidmoaa.exe 38 PID 2128 wrote to memory of 1476 2128 Ohidmoaa.exe 38 PID 2128 wrote to memory of 1476 2128 Ohidmoaa.exe 38 PID 2128 wrote to memory of 1476 2128 Ohidmoaa.exe 38 PID 1476 wrote to memory of 2016 1476 Olgmcmgh.exe 39 PID 1476 wrote to memory of 2016 1476 Olgmcmgh.exe 39 PID 1476 wrote to memory of 2016 1476 Olgmcmgh.exe 39 PID 1476 wrote to memory of 2016 1476 Olgmcmgh.exe 39 PID 2016 wrote to memory of 1624 2016 Pahogc32.exe 40 PID 2016 wrote to memory of 1624 2016 Pahogc32.exe 40 PID 2016 wrote to memory of 1624 2016 Pahogc32.exe 40 PID 2016 wrote to memory of 1624 2016 Pahogc32.exe 40 PID 1624 wrote to memory of 1140 1624 Pjcckf32.exe 41 PID 1624 wrote to memory of 1140 1624 Pjcckf32.exe 41 PID 1624 wrote to memory of 1140 1624 Pjcckf32.exe 41 PID 1624 wrote to memory of 1140 1624 Pjcckf32.exe 41 PID 1140 wrote to memory of 2228 1140 Pqphnp32.exe 42 PID 1140 wrote to memory of 2228 1140 Pqphnp32.exe 42 PID 1140 wrote to memory of 2228 1140 Pqphnp32.exe 42 PID 1140 wrote to memory of 2228 1140 Pqphnp32.exe 42 PID 2228 wrote to memory of 1780 2228 Qqdbiopj.exe 43 PID 2228 wrote to memory of 1780 2228 Qqdbiopj.exe 43 PID 2228 wrote to memory of 1780 2228 Qqdbiopj.exe 43 PID 2228 wrote to memory of 1780 2228 Qqdbiopj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2769a462097b1498962013ea66fd6970_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\2769a462097b1498962013ea66fd6970_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe33⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe34⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe35⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe36⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe37⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe40⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe42⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe44⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe46⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe47⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe48⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe49⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe50⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe52⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe53⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe54⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe55⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe56⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe58⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe59⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe60⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe61⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe63⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe64⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe66⤵PID:760
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe68⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe69⤵PID:920
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe70⤵PID:832
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe71⤵PID:1088
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe72⤵PID:2092
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe75⤵PID:1940
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe76⤵PID:2156
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe77⤵PID:1724
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe78⤵PID:1568
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe80⤵PID:1184
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe81⤵PID:1920
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe83⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe84⤵PID:1892
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe85⤵PID:2776
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe86⤵PID:2272
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe87⤵PID:676
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe88⤵PID:3016
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe89⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe90⤵PID:1312
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe91⤵PID:1548
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe92⤵PID:2056
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe93⤵PID:2512
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe94⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe95⤵PID:2624
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe96⤵PID:2392
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe97⤵PID:3044
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe98⤵PID:1016
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe100⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe101⤵PID:2508
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe102⤵PID:2476
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe103⤵PID:1960
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe104⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe105⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe107⤵PID:2792
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe108⤵PID:2132
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe110⤵PID:2408
-
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe111⤵PID:2880
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe112⤵PID:1404
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe113⤵PID:2664
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe114⤵PID:1460
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1068 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe116⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe117⤵PID:2240
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe118⤵PID:1800
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe120⤵PID:2736
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe121⤵PID:924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-