Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:36
Behavioral task
behavioral1
Sample
e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe
-
Size
153KB
-
MD5
e10290181a6d5308c48f9f236a7c78d0
-
SHA1
7fe06d01e2d4635254f1cac9df7bb05f1341be4d
-
SHA256
10a0e8f8e70bd5d071c749025a2e9b533ff2ac468d83b85f4622606465ed3cb1
-
SHA512
58a89208bb6bf5c49d6b122251024482b0d6a0cfa83106e0d4d8ddfcf843ea4b77f078c08f284d4dfdf0c111f55b27af673d765064a1edf9122159e3b18637a5
-
SSDEEP
3072:Wq+Z8GI9/FwUAEQGBcHN0OlaxP3DZyN/+oeRpxPdZFibDyxn:W78GIv7AHj05xP3DZyN1eRppzcexn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgcabqic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiidobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinead32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcple32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjblg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okchhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plahag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baildokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohbip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfamfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiekid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofejom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npnhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djbiicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odegpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obigjnkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffnphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mochnppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoomd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioccco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkodhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgbcoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnbobin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobbhfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglocnmp.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001211e-5.dat family_berbew behavioral1/files/0x00090000000134f5-18.dat family_berbew behavioral1/files/0x0008000000013a15-34.dat family_berbew behavioral1/files/0x0008000000013a85-47.dat family_berbew behavioral1/files/0x0006000000014525-60.dat family_berbew behavioral1/files/0x00060000000145d4-80.dat family_berbew behavioral1/files/0x0006000000014730-87.dat family_berbew behavioral1/files/0x000600000001475f-101.dat family_berbew behavioral1/files/0x0006000000014a29-114.dat family_berbew behavioral1/files/0x0006000000014d0f-130.dat family_berbew behavioral1/files/0x0006000000015077-140.dat family_berbew behavioral1/files/0x000600000001523e-154.dat family_berbew behavioral1/files/0x00060000000155e8-167.dat family_berbew behavioral1/files/0x0006000000015b37-180.dat family_berbew behavioral1/files/0x0006000000015bb5-193.dat family_berbew behavioral1/files/0x0006000000015c9b-212.dat family_berbew behavioral1/memory/2092-214-0x00000000002E0000-0x000000000031E000-memory.dmp family_berbew behavioral1/files/0x0006000000015cc2-222.dat family_berbew behavioral1/files/0x003a000000013362-232.dat family_berbew behavioral1/files/0x0006000000015ce1-243.dat family_berbew behavioral1/memory/292-257-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/memory/292-256-0x0000000000250000-0x000000000028E000-memory.dmp family_berbew behavioral1/files/0x0006000000015cf5-253.dat family_berbew behavioral1/files/0x0006000000015d13-265.dat family_berbew behavioral1/files/0x0006000000015d28-276.dat family_berbew behavioral1/files/0x0006000000015d99-287.dat family_berbew behavioral1/files/0x0006000000015fbb-296.dat family_berbew behavioral1/memory/2948-311-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/memory/2948-310-0x00000000002D0000-0x000000000030E000-memory.dmp family_berbew behavioral1/files/0x0006000000016126-307.dat family_berbew behavioral1/files/0x000600000001640f-318.dat family_berbew behavioral1/files/0x0006000000016591-329.dat family_berbew behavioral1/files/0x0006000000016a3a-340.dat family_berbew behavioral1/files/0x0006000000016c57-353.dat family_berbew behavioral1/files/0x0006000000016ca1-362.dat family_berbew behavioral1/files/0x0006000000016cf2-372.dat family_berbew behavioral1/files/0x0006000000016d10-383.dat family_berbew behavioral1/files/0x0006000000016d21-394.dat family_berbew behavioral1/files/0x0006000000016d36-405.dat family_berbew behavioral1/files/0x0006000000016d46-418.dat family_berbew behavioral1/files/0x0006000000016d57-427.dat family_berbew behavioral1/files/0x0006000000016d73-441.dat family_berbew behavioral1/files/0x0006000000016d7d-449.dat family_berbew behavioral1/files/0x000600000001708c-460.dat family_berbew behavioral1/files/0x000600000001738e-471.dat family_berbew behavioral1/files/0x00060000000173e2-482.dat family_berbew behavioral1/files/0x0006000000017436-493.dat family_berbew behavioral1/files/0x0006000000017577-507.dat family_berbew behavioral1/files/0x00060000000175fd-515.dat family_berbew behavioral1/files/0x000d000000018689-526.dat family_berbew behavioral1/files/0x000500000001870e-537.dat family_berbew behavioral1/files/0x0005000000018749-547.dat family_berbew behavioral1/files/0x000600000001902f-559.dat family_berbew behavioral1/files/0x000500000001925a-568.dat family_berbew behavioral1/files/0x000500000001927b-578.dat family_berbew behavioral1/files/0x000500000001937a-590.dat family_berbew behavioral1/files/0x00050000000193b6-595.dat family_berbew behavioral1/files/0x00050000000193d4-612.dat family_berbew behavioral1/files/0x00050000000193fd-624.dat family_berbew behavioral1/files/0x000500000001943a-636.dat family_berbew behavioral1/files/0x0005000000019539-647.dat family_berbew behavioral1/files/0x0005000000019618-660.dat family_berbew behavioral1/files/0x000500000001961d-672.dat family_berbew behavioral1/files/0x0005000000019621-682.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1736 Haogkgoh.exe 2404 Hglocnmp.exe 2824 Hqddldcp.exe 2664 Hgolhn32.exe 1676 Idblbb32.exe 2548 Ifdiijpe.exe 3052 Iolmbpfe.exe 2908 Iffeoj32.exe 2432 Icjfhn32.exe 1660 Ijdnehci.exe 2856 Ioagno32.exe 2740 Ienoff32.exe 1872 Ioccco32.exe 1444 Jeplkf32.exe 2092 Joepio32.exe 2456 Jbdlejmn.exe 768 Jinead32.exe 1496 Jnkmjk32.exe 292 Jgcabqic.exe 1564 Jnmjok32.exe 1912 Jfhocmnk.exe 900 Jnofejom.exe 2996 Jclomamd.exe 2948 Jfkkimlh.exe 468 Kpcpbb32.exe 856 Kcolba32.exe 3060 Kjhdokbo.exe 2332 Kljqgc32.exe 2792 Kebepion.exe 2952 Kmimafop.exe 2720 Kfaajlfp.exe 2652 Khcnad32.exe 2596 Klnjbbdh.exe 1728 Komfnnck.exe 2924 Klqfhbbe.exe 2840 Koocdnai.exe 2036 Loapim32.exe 1688 Laplei32.exe 1152 Lkhpnnej.exe 1708 Labhkh32.exe 2232 Lpeifeca.exe 2500 Lkkmdn32.exe 2760 Limmokib.exe 2136 Lpgele32.exe 1480 Lganiohl.exe 1596 Lmkfei32.exe 1376 Llnfaffc.exe 868 Lchnnp32.exe 2308 Lefkjkmc.exe 2440 Lmnbkinf.exe 1980 Llqcfe32.exe 1576 Mgfgdn32.exe 1800 Meigpkka.exe 2776 Mlcple32.exe 2828 Mpolmdkg.exe 2712 Maphdl32.exe 1252 Migpeiag.exe 308 Mlelaeqk.exe 3028 Mochnppo.exe 1796 Menakj32.exe 2724 Mdqafgnf.exe 2896 Mkjica32.exe 1532 Mofecpnl.exe 2508 Mepnpj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 1736 Haogkgoh.exe 1736 Haogkgoh.exe 2404 Hglocnmp.exe 2404 Hglocnmp.exe 2824 Hqddldcp.exe 2824 Hqddldcp.exe 2664 Hgolhn32.exe 2664 Hgolhn32.exe 1676 Idblbb32.exe 1676 Idblbb32.exe 2548 Ifdiijpe.exe 2548 Ifdiijpe.exe 3052 Iolmbpfe.exe 3052 Iolmbpfe.exe 2908 Iffeoj32.exe 2908 Iffeoj32.exe 2432 Icjfhn32.exe 2432 Icjfhn32.exe 1660 Ijdnehci.exe 1660 Ijdnehci.exe 2856 Ioagno32.exe 2856 Ioagno32.exe 2740 Ienoff32.exe 2740 Ienoff32.exe 1872 Ioccco32.exe 1872 Ioccco32.exe 1444 Jeplkf32.exe 1444 Jeplkf32.exe 2092 Joepio32.exe 2092 Joepio32.exe 2456 Jbdlejmn.exe 2456 Jbdlejmn.exe 768 Jinead32.exe 768 Jinead32.exe 1496 Jnkmjk32.exe 1496 Jnkmjk32.exe 292 Jgcabqic.exe 292 Jgcabqic.exe 1564 Jnmjok32.exe 1564 Jnmjok32.exe 1912 Jfhocmnk.exe 1912 Jfhocmnk.exe 900 Jnofejom.exe 900 Jnofejom.exe 2996 Jclomamd.exe 2996 Jclomamd.exe 2948 Jfkkimlh.exe 2948 Jfkkimlh.exe 468 Kpcpbb32.exe 468 Kpcpbb32.exe 856 Kcolba32.exe 856 Kcolba32.exe 3060 Kjhdokbo.exe 3060 Kjhdokbo.exe 2332 Kljqgc32.exe 2332 Kljqgc32.exe 2792 Kebepion.exe 2792 Kebepion.exe 2952 Kmimafop.exe 2952 Kmimafop.exe 2720 Kfaajlfp.exe 2720 Kfaajlfp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Okchhc32.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pelipl32.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qaefjm32.exe File opened for modification C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Lmkfei32.exe Lganiohl.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Dodonf32.exe Dgmglh32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File opened for modification C:\Windows\SysWOW64\Npnhlg32.exe Nlblkhei.exe File opened for modification C:\Windows\SysWOW64\Nfpjomgd.exe Ncancbha.exe File opened for modification C:\Windows\SysWOW64\Bommnc32.exe Bloqah32.exe File created C:\Windows\SysWOW64\Mbiiek32.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Kebepion.exe Kljqgc32.exe File opened for modification C:\Windows\SysWOW64\Afdlhchf.exe Ahakmf32.exe File created C:\Windows\SysWOW64\Gpekfank.dll Gddifnbk.exe File created C:\Windows\SysWOW64\Mpmchlpl.dll Pfdpip32.exe File created C:\Windows\SysWOW64\Ciiqqh32.dll Jinead32.exe File opened for modification C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Nobdlg32.dll Dqjepm32.exe File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Ijdnehci.exe Icjfhn32.exe File created C:\Windows\SysWOW64\Gacpdbej.exe Gmgdddmq.exe File created C:\Windows\SysWOW64\Hnempl32.dll Gacpdbej.exe File created C:\Windows\SysWOW64\Facdeo32.exe Filldb32.exe File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Ecpgmhai.exe File opened for modification C:\Windows\SysWOW64\Afmonbqk.exe Apcfahio.exe File created C:\Windows\SysWOW64\Aiifgf32.dll Ifdiijpe.exe File created C:\Windows\SysWOW64\Piblek32.exe Pfdpip32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File created C:\Windows\SysWOW64\Iolmbpfe.exe Ifdiijpe.exe File created C:\Windows\SysWOW64\Ddflckmp.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Gbijhg32.exe Gpknlk32.exe File opened for modification C:\Windows\SysWOW64\Komfnnck.exe Klnjbbdh.exe File created C:\Windows\SysWOW64\Qdcbfq32.dll Fnpnndgp.exe File opened for modification C:\Windows\SysWOW64\Qnigda32.exe Qhooggdn.exe File created C:\Windows\SysWOW64\Jeplkf32.exe Ioccco32.exe File created C:\Windows\SysWOW64\Dgdmmgpj.exe Dchali32.exe File created C:\Windows\SysWOW64\Nbipbe32.dll Kljqgc32.exe File opened for modification C:\Windows\SysWOW64\Fioija32.exe Fbdqmghm.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File created C:\Windows\SysWOW64\Gpknlk32.exe Fmlapp32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dhmcfkme.exe File created C:\Windows\SysWOW64\Qefpjhef.dll Cgbdhd32.exe File opened for modification C:\Windows\SysWOW64\Mochnppo.exe Mlelaeqk.exe File created C:\Windows\SysWOW64\Dhjfhhen.dll Onmkio32.exe File created C:\Windows\SysWOW64\Qaefjm32.exe Qbbfopeg.exe File opened for modification C:\Windows\SysWOW64\Dgaqgh32.exe Dcfdgiid.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gejcjbah.exe File created C:\Windows\SysWOW64\Igoopg32.dll Laplei32.exe File created C:\Windows\SysWOW64\Nfmmin32.exe Ncoamb32.exe File created C:\Windows\SysWOW64\Dfdceg32.dll Ahakmf32.exe File created C:\Windows\SysWOW64\Jpbpbqda.dll Djbiicon.exe File created C:\Windows\SysWOW64\Kebepion.exe Kljqgc32.exe File opened for modification C:\Windows\SysWOW64\Cjndop32.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Cobbhfhg.exe Clcflkic.exe File created C:\Windows\SysWOW64\Gopkmhjk.exe Gfefiemq.exe File created C:\Windows\SysWOW64\Abmibdlh.exe Adjigg32.exe File created C:\Windows\SysWOW64\Nccjhafn.exe Nkmbgdfl.exe File created C:\Windows\SysWOW64\Penfelgm.exe Pabjem32.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4036 3996 WerFault.exe 334 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" Dodonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcbom32.dll" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Fnpnndgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gejcjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idblbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpeofk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbhek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpnnmjg.dll" Ncancbha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" Lmkfei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkmjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcolba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpgmhai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iffeoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kljqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbiki.dll" Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjpkihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmobb32.dll" Ijdnehci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckignd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qefpjhef.dll" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plahag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfjkpdk.dll" Jbdlejmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Hiqbndpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimafop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jolfcj32.dll" Apajlhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmen32.dll" Mkjica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpqdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqddldcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apajlhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolmbpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkjoj32.dll" Mohbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Llqcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnfjna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iffeoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdalhhc.dll" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcolba32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 1736 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 28 PID 2220 wrote to memory of 1736 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 28 PID 2220 wrote to memory of 1736 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 28 PID 2220 wrote to memory of 1736 2220 e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe 28 PID 1736 wrote to memory of 2404 1736 Haogkgoh.exe 29 PID 1736 wrote to memory of 2404 1736 Haogkgoh.exe 29 PID 1736 wrote to memory of 2404 1736 Haogkgoh.exe 29 PID 1736 wrote to memory of 2404 1736 Haogkgoh.exe 29 PID 2404 wrote to memory of 2824 2404 Hglocnmp.exe 30 PID 2404 wrote to memory of 2824 2404 Hglocnmp.exe 30 PID 2404 wrote to memory of 2824 2404 Hglocnmp.exe 30 PID 2404 wrote to memory of 2824 2404 Hglocnmp.exe 30 PID 2824 wrote to memory of 2664 2824 Hqddldcp.exe 31 PID 2824 wrote to memory of 2664 2824 Hqddldcp.exe 31 PID 2824 wrote to memory of 2664 2824 Hqddldcp.exe 31 PID 2824 wrote to memory of 2664 2824 Hqddldcp.exe 31 PID 2664 wrote to memory of 1676 2664 Hgolhn32.exe 32 PID 2664 wrote to memory of 1676 2664 Hgolhn32.exe 32 PID 2664 wrote to memory of 1676 2664 Hgolhn32.exe 32 PID 2664 wrote to memory of 1676 2664 Hgolhn32.exe 32 PID 1676 wrote to memory of 2548 1676 Idblbb32.exe 33 PID 1676 wrote to memory of 2548 1676 Idblbb32.exe 33 PID 1676 wrote to memory of 2548 1676 Idblbb32.exe 33 PID 1676 wrote to memory of 2548 1676 Idblbb32.exe 33 PID 2548 wrote to memory of 3052 2548 Ifdiijpe.exe 34 PID 2548 wrote to memory of 3052 2548 Ifdiijpe.exe 34 PID 2548 wrote to memory of 3052 2548 Ifdiijpe.exe 34 PID 2548 wrote to memory of 3052 2548 Ifdiijpe.exe 34 PID 3052 wrote to memory of 2908 3052 Iolmbpfe.exe 35 PID 3052 wrote to memory of 2908 3052 Iolmbpfe.exe 35 PID 3052 wrote to memory of 2908 3052 Iolmbpfe.exe 35 PID 3052 wrote to memory of 2908 3052 Iolmbpfe.exe 35 PID 2908 wrote to memory of 2432 2908 Iffeoj32.exe 36 PID 2908 wrote to memory of 2432 2908 Iffeoj32.exe 36 PID 2908 wrote to memory of 2432 2908 Iffeoj32.exe 36 PID 2908 wrote to memory of 2432 2908 Iffeoj32.exe 36 PID 2432 wrote to memory of 1660 2432 Icjfhn32.exe 37 PID 2432 wrote to memory of 1660 2432 Icjfhn32.exe 37 PID 2432 wrote to memory of 1660 2432 Icjfhn32.exe 37 PID 2432 wrote to memory of 1660 2432 Icjfhn32.exe 37 PID 1660 wrote to memory of 2856 1660 Ijdnehci.exe 38 PID 1660 wrote to memory of 2856 1660 Ijdnehci.exe 38 PID 1660 wrote to memory of 2856 1660 Ijdnehci.exe 38 PID 1660 wrote to memory of 2856 1660 Ijdnehci.exe 38 PID 2856 wrote to memory of 2740 2856 Ioagno32.exe 39 PID 2856 wrote to memory of 2740 2856 Ioagno32.exe 39 PID 2856 wrote to memory of 2740 2856 Ioagno32.exe 39 PID 2856 wrote to memory of 2740 2856 Ioagno32.exe 39 PID 2740 wrote to memory of 1872 2740 Ienoff32.exe 40 PID 2740 wrote to memory of 1872 2740 Ienoff32.exe 40 PID 2740 wrote to memory of 1872 2740 Ienoff32.exe 40 PID 2740 wrote to memory of 1872 2740 Ienoff32.exe 40 PID 1872 wrote to memory of 1444 1872 Ioccco32.exe 41 PID 1872 wrote to memory of 1444 1872 Ioccco32.exe 41 PID 1872 wrote to memory of 1444 1872 Ioccco32.exe 41 PID 1872 wrote to memory of 1444 1872 Ioccco32.exe 41 PID 1444 wrote to memory of 2092 1444 Jeplkf32.exe 42 PID 1444 wrote to memory of 2092 1444 Jeplkf32.exe 42 PID 1444 wrote to memory of 2092 1444 Jeplkf32.exe 42 PID 1444 wrote to memory of 2092 1444 Jeplkf32.exe 42 PID 2092 wrote to memory of 2456 2092 Joepio32.exe 43 PID 2092 wrote to memory of 2456 2092 Joepio32.exe 43 PID 2092 wrote to memory of 2456 2092 Joepio32.exe 43 PID 2092 wrote to memory of 2456 2092 Joepio32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e10290181a6d5308c48f9f236a7c78d0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Hglocnmp.exeC:\Windows\system32\Hglocnmp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hqddldcp.exeC:\Windows\system32\Hqddldcp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ifdiijpe.exeC:\Windows\system32\Ifdiijpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe33⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe35⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe38⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe40⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe41⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe42⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe43⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe44⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe45⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe48⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe50⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe51⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe53⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe54⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe57⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe58⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe61⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe62⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe64⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe65⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe66⤵PID:1044
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe67⤵PID:988
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe69⤵PID:2976
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe70⤵PID:2940
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe71⤵PID:3068
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe72⤵PID:1508
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe75⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe77⤵PID:2744
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe78⤵PID:1624
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe79⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe80⤵PID:2100
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe81⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe82⤵PID:2512
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe83⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe85⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe87⤵PID:2464
-
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe89⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe90⤵PID:2472
-
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe91⤵PID:2800
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe96⤵PID:112
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe97⤵PID:2172
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe98⤵PID:2088
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe99⤵PID:1548
-
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe102⤵PID:1116
-
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe103⤵PID:564
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe104⤵PID:1608
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe105⤵PID:1600
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe106⤵PID:2672
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe107⤵PID:2660
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe108⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe109⤵PID:2608
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe111⤵PID:1436
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe112⤵PID:2152
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe114⤵PID:604
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe116⤵PID:2208
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe117⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe118⤵PID:2808
-
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe121⤵PID:1584
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-