Analysis
-
max time kernel
39s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:29
Behavioral task
behavioral1
Sample
df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe
-
Size
363KB
-
MD5
df3df8e680ea6a28aecac60a8edd9ab0
-
SHA1
3f889c6e2628fccad1b36b46b3ea7525b7ed41d5
-
SHA256
d8b3fbaeb8838c8644bd134199b6812bcd01c40cada6b054545a81b9ef6b6922
-
SHA512
cb0a4761fe1d62fb18d870b5d8435e6283a4eea0f4f50ae12e49cafda7e02ca2d02f3ce5dd72b677e5ad922d1c300e0b4929c314dd22a70ebfb114ecb8c1ba3a
-
SSDEEP
6144:6sRxXxx5ed1N6Gkym/89b7yS49pkuk4Nx73U2S4D23DgDJsAE1m7uLcp37pByk2e:ad1wf9S49yuFL73tS4D2FR1maLcJ/Umn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibipmiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckahkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonpma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhbciaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccpcckck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafahdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcbnanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ookpodkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpcckck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnoijbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcijf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqqpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offmipej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcodqkbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmopa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagkjbaf.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0029000000015c2f-27.dat family_berbew behavioral1/files/0x0007000000015c7c-38.dat family_berbew behavioral1/files/0x0007000000015cb9-53.dat family_berbew behavioral1/files/0x0005000000018698-66.dat family_berbew behavioral1/files/0x0006000000018ae2-74.dat family_berbew behavioral1/files/0x0006000000018b15-94.dat family_berbew behavioral1/files/0x0006000000018b37-105.dat family_berbew behavioral1/files/0x0010000000015c3c-124.dat family_berbew behavioral1/files/0x0006000000018b73-131.dat family_berbew behavioral1/files/0x0006000000018ba2-152.dat family_berbew behavioral1/files/0x00050000000192c9-166.dat family_berbew behavioral1/files/0x000500000001931b-179.dat family_berbew behavioral1/files/0x000500000001939b-207.dat family_berbew behavioral1/files/0x0005000000019410-221.dat family_berbew behavioral1/files/0x000500000001946f-230.dat family_berbew behavioral1/files/0x00040000000194d6-250.dat family_berbew behavioral1/files/0x00040000000194dc-261.dat family_berbew behavioral1/files/0x0005000000019521-302.dat family_berbew behavioral1/memory/804-314-0x0000000000230000-0x0000000000266000-memory.dmp family_berbew behavioral1/files/0x0005000000019570-312.dat family_berbew behavioral1/memory/1112-303-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x00050000000194f4-290.dat family_berbew behavioral1/files/0x00050000000194ef-282.dat family_berbew behavioral1/files/0x00050000000194ea-271.dat family_berbew behavioral1/memory/1536-265-0x00000000002C0000-0x00000000002F6000-memory.dmp family_berbew behavioral1/memory/3068-246-0x00000000005D0000-0x0000000000606000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-241.dat family_berbew behavioral1/files/0x0005000000019368-194.dat family_berbew behavioral1/files/0x000500000001959e-321.dat family_berbew behavioral1/memory/1608-326-0x0000000000220000-0x0000000000256000-memory.dmp family_berbew behavioral1/files/0x00050000000195a7-334.dat family_berbew behavioral1/memory/2652-123-0x0000000000250000-0x0000000000286000-memory.dmp family_berbew behavioral1/files/0x00050000000195a9-347.dat family_berbew behavioral1/memory/2120-360-0x0000000000230000-0x0000000000266000-memory.dmp family_berbew behavioral1/memory/2120-359-0x0000000000230000-0x0000000000266000-memory.dmp family_berbew behavioral1/files/0x0005000000019646-367.dat family_berbew behavioral1/files/0x0005000000019bd7-390.dat family_berbew behavioral1/memory/1236-415-0x00000000002B0000-0x00000000002E6000-memory.dmp family_berbew behavioral1/files/0x000500000001a013-443.dat family_berbew behavioral1/files/0x000500000001a3c2-470.dat family_berbew behavioral1/files/0x000500000001a3c8-481.dat family_berbew behavioral1/files/0x000500000001a3d4-493.dat family_berbew behavioral1/files/0x000500000001a429-507.dat family_berbew behavioral1/files/0x000500000001a431-517.dat family_berbew behavioral1/files/0x000500000001a43b-527.dat family_berbew behavioral1/files/0x000500000001a447-547.dat family_berbew behavioral1/files/0x000500000001a44b-558.dat family_berbew behavioral1/files/0x000500000001a44f-567.dat family_berbew behavioral1/files/0x000500000001a45b-605.dat family_berbew behavioral1/files/0x000500000001a45f-616.dat family_berbew behavioral1/files/0x000500000001a46c-650.dat family_berbew behavioral1/files/0x000500000001a470-664.dat family_berbew behavioral1/files/0x000500000001a474-679.dat family_berbew behavioral1/files/0x000500000001a47d-704.dat family_berbew behavioral1/files/0x000500000001a484-717.dat family_berbew behavioral1/files/0x000500000001a543-744.dat family_berbew behavioral1/files/0x000500000001c288-766.dat family_berbew behavioral1/files/0x000500000001c71e-792.dat family_berbew behavioral1/files/0x000500000001c82d-816.dat family_berbew behavioral1/files/0x000500000001c832-830.dat family_berbew behavioral1/files/0x000500000001c83f-868.dat family_berbew behavioral1/files/0x000500000001c843-880.dat family_berbew behavioral1/files/0x000500000001c847-892.dat family_berbew behavioral1/files/0x000500000001c84b-904.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2704 Bibpad32.exe 2476 Bjallg32.exe 2488 Bcjqdmla.exe 2580 Bmbemb32.exe 2852 Cemjae32.exe 2352 Cadjgf32.exe 1884 Cljodo32.exe 2652 Ckahkk32.exe 2820 Dpqnhadq.exe 1908 Fjbafi32.exe 1468 Fjdnlhco.exe 2636 Ffkoai32.exe 1176 Filgbdfd.exe 2264 Fkmqdpce.exe 672 Gnmifk32.exe 1728 Gmbfggdo.exe 3068 Hfpdkl32.exe 676 Heealhla.exe 1536 Halbai32.exe 1828 Hjdfjo32.exe 2020 Hdlkcdog.exe 1716 Hhjcic32.exe 1112 Iabhah32.exe 804 Ijklknbn.exe 1748 Idcacc32.exe 1608 Idfnicfl.exe 2956 Lqqpgj32.exe 2120 Mlfacfpc.exe 2356 Nbbbdcgi.exe 884 Ohojmjep.exe 1904 Ookpodkj.exe 2772 Ohcdhi32.exe 1236 Ogiaif32.exe 2380 Oanefo32.exe 2500 Oijjka32.exe 1952 Pgnjde32.exe 2588 Pilfpqaa.exe 2016 Pdakniag.exe 2740 Plmpblnb.exe 1568 Plolgk32.exe 2292 Pciddedl.exe 2204 Pkdihhag.exe 2032 Phhjblpa.exe 2988 Qnebjc32.exe 768 Qhjfgl32.exe 1616 Qngopb32.exe 1136 Agpcihcf.exe 1796 Abegfa32.exe 1084 Agbpnh32.exe 868 Aqjdgmgd.exe 1672 Afgmodel.exe 2516 Aqmamm32.exe 2524 Afjjed32.exe 3052 Aqonbm32.exe 2856 Abpjjeim.exe 2816 Aijbfo32.exe 1960 Bcpgdhpp.exe 2280 Bmhkmm32.exe 1116 Bnihdemo.exe 2400 Becpap32.exe 1048 Boidnh32.exe 1532 Befmfpbi.exe 2040 Bkpeci32.exe 2660 Behilopf.exe -
Loads dropped DLL 64 IoCs
pid Process 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 2704 Bibpad32.exe 2704 Bibpad32.exe 2476 Bjallg32.exe 2476 Bjallg32.exe 2488 Bcjqdmla.exe 2488 Bcjqdmla.exe 2580 Bmbemb32.exe 2580 Bmbemb32.exe 2852 Cemjae32.exe 2852 Cemjae32.exe 2352 Cadjgf32.exe 2352 Cadjgf32.exe 1884 Cljodo32.exe 1884 Cljodo32.exe 2652 Ckahkk32.exe 2652 Ckahkk32.exe 2820 Dpqnhadq.exe 2820 Dpqnhadq.exe 1908 Fjbafi32.exe 1908 Fjbafi32.exe 1468 Fjdnlhco.exe 1468 Fjdnlhco.exe 2636 Ffkoai32.exe 2636 Ffkoai32.exe 1176 Filgbdfd.exe 1176 Filgbdfd.exe 2264 Fkmqdpce.exe 2264 Fkmqdpce.exe 672 Gnmifk32.exe 672 Gnmifk32.exe 1728 Gmbfggdo.exe 1728 Gmbfggdo.exe 3068 Hfpdkl32.exe 3068 Hfpdkl32.exe 676 Heealhla.exe 676 Heealhla.exe 1536 Halbai32.exe 1536 Halbai32.exe 1828 Hjdfjo32.exe 1828 Hjdfjo32.exe 2020 Hdlkcdog.exe 2020 Hdlkcdog.exe 1716 Hhjcic32.exe 1716 Hhjcic32.exe 1112 Iabhah32.exe 1112 Iabhah32.exe 804 Ijklknbn.exe 804 Ijklknbn.exe 1748 Idcacc32.exe 1748 Idcacc32.exe 1584 Kfpifm32.exe 1584 Kfpifm32.exe 2956 Lqqpgj32.exe 2956 Lqqpgj32.exe 2120 Mlfacfpc.exe 2120 Mlfacfpc.exe 2356 Nbbbdcgi.exe 2356 Nbbbdcgi.exe 884 Ohojmjep.exe 884 Ohojmjep.exe 1904 Ookpodkj.exe 1904 Ookpodkj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnlpnk32.dll Fofbhgde.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Aqmamm32.exe File created C:\Windows\SysWOW64\Bjebdfnn.exe Behilopf.exe File created C:\Windows\SysWOW64\Figfejbj.dll Kdnild32.exe File created C:\Windows\SysWOW64\Eeojcmfi.exe Epbbkf32.exe File created C:\Windows\SysWOW64\Imcpdkff.dll Dldkmlhl.exe File created C:\Windows\SysWOW64\Elilld32.dll Ecnoijbd.exe File created C:\Windows\SysWOW64\Onmnmm32.dll Elacliin.exe File created C:\Windows\SysWOW64\Jdilhpcp.dll Pfebnmcj.exe File created C:\Windows\SysWOW64\Hailie32.dll Qaapcj32.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cgnnab32.exe File opened for modification C:\Windows\SysWOW64\Kbmfgk32.exe Kmqmod32.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe Lcblan32.exe File created C:\Windows\SysWOW64\Iakino32.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Jefpeh32.exe Jpigma32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lonpma32.exe File created C:\Windows\SysWOW64\Apedah32.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Cljodo32.exe File created C:\Windows\SysWOW64\Gphfihaj.dll Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Eifmimch.exe Efhqmadd.exe File created C:\Windows\SysWOW64\Jjfkgcdc.dll Djjjga32.exe File created C:\Windows\SysWOW64\Loqmba32.exe Lhfefgkg.exe File created C:\Windows\SysWOW64\Ldmopa32.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bpbmqe32.exe File opened for modification C:\Windows\SysWOW64\Mhqjen32.exe Lafahdcc.exe File opened for modification C:\Windows\SysWOW64\Abpjjeim.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Aljcpg32.dll Gnnlocgk.exe File created C:\Windows\SysWOW64\Nmflee32.exe Nflchkii.exe File opened for modification C:\Windows\SysWOW64\Iphgln32.exe Ingkdeak.exe File created C:\Windows\SysWOW64\Ljigih32.exe Ldmopa32.exe File opened for modification C:\Windows\SysWOW64\Phklaacg.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Njekpl32.dll Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Mmbmeifk.exe Mjcaimgg.exe File created C:\Windows\SysWOW64\Gmoloenf.dll Pohhna32.exe File created C:\Windows\SysWOW64\Gqlhkofn.exe Gnnlocgk.exe File created C:\Windows\SysWOW64\Gqaafn32.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Ilcalnii.exe Iejiodbl.exe File opened for modification C:\Windows\SysWOW64\Gnmifk32.exe Fkmqdpce.exe File opened for modification C:\Windows\SysWOW64\Aqjdgmgd.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Peblpbgn.dll Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Obgnhkkh.exe File created C:\Windows\SysWOW64\Gojhafnb.exe Fimoiopk.exe File opened for modification C:\Windows\SysWOW64\Lnhgim32.exe Llgjaeoj.exe File opened for modification C:\Windows\SysWOW64\Hmjoqo32.exe Hbdjcffd.exe File opened for modification C:\Windows\SysWOW64\Dekdikhc.exe Dnqlmq32.exe File created C:\Windows\SysWOW64\Hkekhpob.dll Fkefbcmf.exe File created C:\Windows\SysWOW64\Honjhkme.dll Ogliemkk.exe File created C:\Windows\SysWOW64\Aqjdgmgd.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Iomhdbkn.dll Cjjkpe32.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ibejdjln.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Ibejdjln.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Picojhcm.exe Pfebnmcj.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bqmpdioa.exe File created C:\Windows\SysWOW64\Hdlkcdog.exe Hjdfjo32.exe File created C:\Windows\SysWOW64\Hhjcic32.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Pgnjde32.exe Oijjka32.exe File created C:\Windows\SysWOW64\Ohcdhi32.exe Ookpodkj.exe File opened for modification C:\Windows\SysWOW64\Pkdihhag.exe Pciddedl.exe File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Pacajg32.exe File opened for modification C:\Windows\SysWOW64\Mdghaf32.exe Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Pidfdofi.exe Phcilf32.exe File created C:\Windows\SysWOW64\Fofbhgde.exe Fplllkdc.exe File created C:\Windows\SysWOW64\Iinkmi32.dll Nmabjfek.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5188 2580 Process not Found 1438 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jefpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoiil32.dll" Mjkibehc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejcohho.dll" Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imodkadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljigih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcmklh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhnmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oanefo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbncjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqpagjge.dll" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Fjhcegll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npjlhcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhepoaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfdddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqlhkofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klihnmmj.dll" Jdflqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kajiigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhqjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afdiondb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnlcm32.dll" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckahkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modcdaml.dll" Filgbdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahmmdf.dll" Idfnicfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqjelqn.dll" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Heliepmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djepnq32.dll" Mnblhddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlkglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hannfn32.dll" Aeoijidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafalh32.dll" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhpglecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nameek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmdjb32.dll" Objjnkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkehql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Halbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjmnjkjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2704 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 28 PID 1400 wrote to memory of 2704 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 28 PID 1400 wrote to memory of 2704 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 28 PID 1400 wrote to memory of 2704 1400 df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe 28 PID 2704 wrote to memory of 2476 2704 Bibpad32.exe 29 PID 2704 wrote to memory of 2476 2704 Bibpad32.exe 29 PID 2704 wrote to memory of 2476 2704 Bibpad32.exe 29 PID 2704 wrote to memory of 2476 2704 Bibpad32.exe 29 PID 2476 wrote to memory of 2488 2476 Bjallg32.exe 523 PID 2476 wrote to memory of 2488 2476 Bjallg32.exe 523 PID 2476 wrote to memory of 2488 2476 Bjallg32.exe 523 PID 2476 wrote to memory of 2488 2476 Bjallg32.exe 523 PID 2488 wrote to memory of 2580 2488 Bcjqdmla.exe 1438 PID 2488 wrote to memory of 2580 2488 Bcjqdmla.exe 1438 PID 2488 wrote to memory of 2580 2488 Bcjqdmla.exe 1438 PID 2488 wrote to memory of 2580 2488 Bcjqdmla.exe 1438 PID 2580 wrote to memory of 2852 2580 Bmbemb32.exe 396 PID 2580 wrote to memory of 2852 2580 Bmbemb32.exe 396 PID 2580 wrote to memory of 2852 2580 Bmbemb32.exe 396 PID 2580 wrote to memory of 2852 2580 Bmbemb32.exe 396 PID 2852 wrote to memory of 2352 2852 Cemjae32.exe 33 PID 2852 wrote to memory of 2352 2852 Cemjae32.exe 33 PID 2852 wrote to memory of 2352 2852 Cemjae32.exe 33 PID 2852 wrote to memory of 2352 2852 Cemjae32.exe 33 PID 2352 wrote to memory of 1884 2352 Cadjgf32.exe 510 PID 2352 wrote to memory of 1884 2352 Cadjgf32.exe 510 PID 2352 wrote to memory of 1884 2352 Cadjgf32.exe 510 PID 2352 wrote to memory of 1884 2352 Cadjgf32.exe 510 PID 1884 wrote to memory of 2652 1884 Cljodo32.exe 397 PID 1884 wrote to memory of 2652 1884 Cljodo32.exe 397 PID 1884 wrote to memory of 2652 1884 Cljodo32.exe 397 PID 1884 wrote to memory of 2652 1884 Cljodo32.exe 397 PID 2652 wrote to memory of 2820 2652 Ckahkk32.exe 417 PID 2652 wrote to memory of 2820 2652 Ckahkk32.exe 417 PID 2652 wrote to memory of 2820 2652 Ckahkk32.exe 417 PID 2652 wrote to memory of 2820 2652 Ckahkk32.exe 417 PID 2820 wrote to memory of 1908 2820 Dpqnhadq.exe 518 PID 2820 wrote to memory of 1908 2820 Dpqnhadq.exe 518 PID 2820 wrote to memory of 1908 2820 Dpqnhadq.exe 518 PID 2820 wrote to memory of 1908 2820 Dpqnhadq.exe 518 PID 1908 wrote to memory of 1468 1908 Fjbafi32.exe 38 PID 1908 wrote to memory of 1468 1908 Fjbafi32.exe 38 PID 1908 wrote to memory of 1468 1908 Fjbafi32.exe 38 PID 1908 wrote to memory of 1468 1908 Fjbafi32.exe 38 PID 1468 wrote to memory of 2636 1468 Fjdnlhco.exe 537 PID 1468 wrote to memory of 2636 1468 Fjdnlhco.exe 537 PID 1468 wrote to memory of 2636 1468 Fjdnlhco.exe 537 PID 1468 wrote to memory of 2636 1468 Fjdnlhco.exe 537 PID 2636 wrote to memory of 1176 2636 Ffkoai32.exe 448 PID 2636 wrote to memory of 1176 2636 Ffkoai32.exe 448 PID 2636 wrote to memory of 1176 2636 Ffkoai32.exe 448 PID 2636 wrote to memory of 1176 2636 Ffkoai32.exe 448 PID 1176 wrote to memory of 2264 1176 Filgbdfd.exe 552 PID 1176 wrote to memory of 2264 1176 Filgbdfd.exe 552 PID 1176 wrote to memory of 2264 1176 Filgbdfd.exe 552 PID 1176 wrote to memory of 2264 1176 Filgbdfd.exe 552 PID 2264 wrote to memory of 672 2264 Fkmqdpce.exe 496 PID 2264 wrote to memory of 672 2264 Fkmqdpce.exe 496 PID 2264 wrote to memory of 672 2264 Fkmqdpce.exe 496 PID 2264 wrote to memory of 672 2264 Fkmqdpce.exe 496 PID 672 wrote to memory of 1728 672 Gnmifk32.exe 43 PID 672 wrote to memory of 1728 672 Gnmifk32.exe 43 PID 672 wrote to memory of 1728 672 Gnmifk32.exe 43 PID 672 wrote to memory of 1728 672 Gnmifk32.exe 43
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\df3df8e680ea6a28aecac60a8edd9ab0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe28⤵
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe34⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe35⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe40⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe41⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe42⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe44⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe45⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe46⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe47⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe48⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe49⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe50⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe52⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe53⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe57⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe58⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe59⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe60⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe61⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe62⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe63⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe65⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe68⤵PID:2132
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe69⤵PID:1508
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe71⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe73⤵PID:2532
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe74⤵PID:2332
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe75⤵PID:2672
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe78⤵PID:1724
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe79⤵PID:1772
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe80⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe81⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe82⤵PID:1296
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe83⤵PID:708
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe84⤵PID:2160
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe85⤵PID:2692
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe86⤵PID:2240
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe87⤵PID:2424
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe88⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe89⤵PID:2792
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe91⤵PID:1636
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe93⤵PID:1720
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe94⤵PID:556
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe95⤵PID:1488
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe96⤵PID:2036
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe97⤵PID:704
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe98⤵PID:1388
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe99⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe101⤵PID:2252
-
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe102⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe103⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe104⤵PID:2084
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe105⤵PID:1544
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe107⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe108⤵PID:1204
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe109⤵PID:908
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe110⤵PID:3040
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe112⤵PID:2808
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe113⤵
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe114⤵PID:2224
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe115⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe116⤵PID:1712
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe117⤵PID:2568
-
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe119⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe120⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe122⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-