Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 13:02
Behavioral task
behavioral1
Sample
3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe
-
Size
448KB
-
MD5
3c6f855ed6a7306d02914e2c1931b450
-
SHA1
b8781689a30ac560ba7cd56b39db69fbe5065e35
-
SHA256
647a7c4cdd765efd917869c419f895d477aed0e8faf610f199f887096e38c645
-
SHA512
9587a6dcbe4b33c481506f27b01124f1406c245a6e2c161b3dcb6034df966727e8e585b9b86f86c8b0400dd5a6008f4a3d5c07ebdde5e77678ea8f4766824759
-
SSDEEP
6144:p92+Kz3LlCRgLG7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzk:p92jz8O67aOlxzr3cOK3TajRfXFMKNxC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbjgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oobjaqaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjfccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caknol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhfagipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajcde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kegqdqbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmehnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imfqjbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meppiblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojgfemq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfipcid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amhpnkch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefpnhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001226d-8.dat family_berbew behavioral1/files/0x0008000000015cb7-29.dat family_berbew behavioral1/files/0x0007000000015ce2-34.dat family_berbew behavioral1/files/0x0009000000015cf3-56.dat family_berbew behavioral1/files/0x00060000000165d4-70.dat family_berbew behavioral1/files/0x0006000000016c5d-100.dat family_berbew behavioral1/files/0x0006000000016d05-118.dat family_berbew behavioral1/files/0x0006000000016caf-113.dat family_berbew behavioral1/files/0x0034000000015bc7-138.dat family_berbew behavioral1/files/0x0006000000016d2b-144.dat family_berbew behavioral1/files/0x0006000000016d3b-168.dat family_berbew behavioral1/files/0x0006000000016d4c-174.dat family_berbew behavioral1/files/0x0006000000016d68-197.dat family_berbew behavioral1/files/0x0006000000016d70-208.dat family_berbew behavioral1/files/0x0006000000016da0-225.dat family_berbew behavioral1/files/0x00060000000173d6-264.dat family_berbew behavioral1/files/0x00060000000175e8-276.dat family_berbew behavioral1/files/0x00050000000186ff-286.dat family_berbew behavioral1/files/0x000500000001870d-297.dat family_berbew behavioral1/files/0x000500000001878b-319.dat family_berbew behavioral1/files/0x0006000000018bda-339.dat family_berbew behavioral1/files/0x0005000000019296-351.dat family_berbew behavioral1/memory/2740-377-0x0000000000260000-0x00000000002A3000-memory.dmp family_berbew behavioral1/files/0x000500000001941d-384.dat family_berbew behavioral1/files/0x000500000001961a-429.dat family_berbew behavioral1/files/0x000500000001961e-441.dat family_berbew behavioral1/memory/2760-460-0x00000000005E0000-0x0000000000623000-memory.dmp family_berbew behavioral1/files/0x000500000001962c-481.dat family_berbew behavioral1/files/0x0005000000019634-503.dat family_berbew behavioral1/files/0x00050000000196be-527.dat family_berbew behavioral1/files/0x0005000000019848-547.dat family_berbew behavioral1/files/0x0005000000019aee-569.dat family_berbew behavioral1/files/0x0005000000019d5f-592.dat family_berbew behavioral1/files/0x0005000000019dd1-602.dat family_berbew behavioral1/files/0x0005000000019c68-579.dat family_berbew behavioral1/files/0x000500000001a056-624.dat family_berbew behavioral1/files/0x000500000001a0bd-635.dat family_berbew behavioral1/files/0x000500000001a3c7-645.dat family_berbew behavioral1/files/0x000500000001a46f-658.dat family_berbew behavioral1/files/0x000500000001a480-681.dat family_berbew behavioral1/files/0x000500000001a4d9-701.dat family_berbew behavioral1/files/0x000500000001a4e5-712.dat family_berbew behavioral1/files/0x000500000001a4f1-731.dat family_berbew behavioral1/files/0x000500000001a4fa-755.dat family_berbew behavioral1/files/0x000500000001a502-776.dat family_berbew behavioral1/files/0x000500000001a52c-878.dat family_berbew behavioral1/files/0x000500000001a533-894.dat family_berbew behavioral1/files/0x000500000001a540-907.dat family_berbew behavioral1/files/0x000500000001a54b-919.dat family_berbew behavioral1/files/0x000500000001adc3-945.dat family_berbew behavioral1/files/0x000500000001c79e-982.dat family_berbew behavioral1/files/0x000500000001c8ab-1023.dat family_berbew behavioral1/files/0x000500000001c8be-1036.dat family_berbew behavioral1/files/0x000500000001c8c7-1061.dat family_berbew behavioral1/files/0x000500000001c8d0-1089.dat family_berbew behavioral1/files/0x000500000001c8db-1113.dat family_berbew behavioral1/files/0x000500000001c8f8-1208.dat family_berbew behavioral1/files/0x000500000001c8fc-1220.dat family_berbew behavioral1/files/0x000400000001c97c-1245.dat family_berbew behavioral1/files/0x000400000001c989-1266.dat family_berbew behavioral1/files/0x000400000001c9a2-1285.dat family_berbew behavioral1/files/0x000400000001c9ae-1298.dat family_berbew behavioral1/files/0x000400000001cb1c-1319.dat family_berbew behavioral1/files/0x000400000001cb4c-1329.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2656 Bebkpn32.exe 2692 Blmdlhmp.exe 2724 Bloqah32.exe 2636 Bhfagipa.exe 2452 Bopicc32.exe 2508 Bpafkknm.exe 1424 Cnippoha.exe 2524 Cphlljge.exe 1728 Ccfhhffh.exe 2108 Cdlnkmha.exe 1588 Cobbhfhg.exe 2016 Dflkdp32.exe 2116 Dgmglh32.exe 1836 Dqelenlc.exe 948 Dhmcfkme.exe 1780 Eqonkmdh.exe 3020 Ebpkce32.exe 3044 Eijcpoac.exe 876 Epdkli32.exe 1556 Ebbgid32.exe 568 Eeqdep32.exe 2436 Enihne32.exe 1712 Efppoc32.exe 2200 Eajaoq32.exe 884 Eiaiqn32.exe 2008 Egdilkbf.exe 1540 Eloemi32.exe 3040 Fhhcgj32.exe 2740 Fnbkddem.exe 2500 Fpdhklkl.exe 2684 Fdapak32.exe 2532 Ffpmnf32.exe 2344 Flmefm32.exe 1456 Fmlapp32.exe 1748 Gonnhhln.exe 1772 Gegfdb32.exe 2760 Gpmjak32.exe 2808 Gangic32.exe 2220 Gldkfl32.exe 2816 Gobgcg32.exe 2824 Gbnccfpb.exe 1624 Ghkllmoi.exe 1312 Glfhll32.exe 2408 Goddhg32.exe 1488 Gacpdbej.exe 580 Gdamqndn.exe 1988 Ghmiam32.exe 1496 Gogangdc.exe 888 Gaemjbcg.exe 1440 Gphmeo32.exe 2112 Ghoegl32.exe 1896 Hmlnoc32.exe 2688 Hpkjko32.exe 2324 Hcifgjgc.exe 2664 Hgdbhi32.exe 2492 Hlakpp32.exe 2192 Hdhbam32.exe 2936 Hckcmjep.exe 1360 Hejoiedd.exe 1452 Hnagjbdf.exe 1920 Hlcgeo32.exe 2248 Hcnpbi32.exe 768 Hellne32.exe 1368 Hjhhocjj.exe -
Loads dropped DLL 64 IoCs
pid Process 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 2656 Bebkpn32.exe 2656 Bebkpn32.exe 2692 Blmdlhmp.exe 2692 Blmdlhmp.exe 2724 Bloqah32.exe 2724 Bloqah32.exe 2636 Bhfagipa.exe 2636 Bhfagipa.exe 2452 Bopicc32.exe 2452 Bopicc32.exe 2508 Bpafkknm.exe 2508 Bpafkknm.exe 1424 Cnippoha.exe 1424 Cnippoha.exe 2524 Cphlljge.exe 2524 Cphlljge.exe 1728 Ccfhhffh.exe 1728 Ccfhhffh.exe 2108 Cdlnkmha.exe 2108 Cdlnkmha.exe 1588 Cobbhfhg.exe 1588 Cobbhfhg.exe 2016 Dflkdp32.exe 2016 Dflkdp32.exe 2116 Dgmglh32.exe 2116 Dgmglh32.exe 1836 Dqelenlc.exe 1836 Dqelenlc.exe 948 Dhmcfkme.exe 948 Dhmcfkme.exe 1780 Eqonkmdh.exe 1780 Eqonkmdh.exe 3020 Ebpkce32.exe 3020 Ebpkce32.exe 3044 Eijcpoac.exe 3044 Eijcpoac.exe 876 Epdkli32.exe 876 Epdkli32.exe 1556 Ebbgid32.exe 1556 Ebbgid32.exe 568 Eeqdep32.exe 568 Eeqdep32.exe 2436 Enihne32.exe 2436 Enihne32.exe 1712 Efppoc32.exe 1712 Efppoc32.exe 2200 Eajaoq32.exe 2200 Eajaoq32.exe 884 Eiaiqn32.exe 884 Eiaiqn32.exe 2008 Egdilkbf.exe 2008 Egdilkbf.exe 1540 Eloemi32.exe 1540 Eloemi32.exe 3040 Fhhcgj32.exe 3040 Fhhcgj32.exe 2740 Fnbkddem.exe 2740 Fnbkddem.exe 2500 Fpdhklkl.exe 2500 Fpdhklkl.exe 2684 Fdapak32.exe 2684 Fdapak32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Biapcobb.dll Jnqphi32.exe File created C:\Windows\SysWOW64\Loeebl32.exe Lpbefoai.exe File opened for modification C:\Windows\SysWOW64\Bhigphio.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Kmcipd32.dll Kjifhc32.exe File created C:\Windows\SysWOW64\Meppiblm.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Ndabhn32.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Pbnoliap.exe Poocpnbm.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Kocbkk32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Geofbffe.dll Kpkofpgq.exe File created C:\Windows\SysWOW64\Bhndldcn.exe Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hgmalg32.exe File created C:\Windows\SysWOW64\Kemedbfd.dll Mbpnanch.exe File created C:\Windows\SysWOW64\Fjngcolf.dll Lfbpag32.exe File created C:\Windows\SysWOW64\Chgdod32.dll Jkpgfn32.exe File created C:\Windows\SysWOW64\Kjqccigf.exe Kcfkfo32.exe File created C:\Windows\SysWOW64\Monhhk32.exe Mggpgmof.exe File created C:\Windows\SysWOW64\Kbidgeci.exe Kpjhkjde.exe File created C:\Windows\SysWOW64\Kbelde32.dll Lbiqfied.exe File created C:\Windows\SysWOW64\Noomnjpj.dll Mmldme32.exe File created C:\Windows\SysWOW64\Ebpkce32.exe Eqonkmdh.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Mkoleq32.dll Kilfcpqm.exe File created C:\Windows\SysWOW64\Aaheie32.exe Qkkmqnck.exe File created C:\Windows\SysWOW64\Icmlam32.exe Iqopea32.exe File created C:\Windows\SysWOW64\Dhbfdjdp.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Hdildlie.exe Homclekn.exe File opened for modification C:\Windows\SysWOW64\Okdkal32.exe Oegbheiq.exe File created C:\Windows\SysWOW64\Ngnbgplj.exe Nhkbkc32.exe File created C:\Windows\SysWOW64\Nacgdhlp.exe Njlockkm.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Oqideepg.exe File created C:\Windows\SysWOW64\Kneagg32.dll Fcefji32.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Melfncqb.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Kmjfdejp.exe Kkijmm32.exe File opened for modification C:\Windows\SysWOW64\Nejiih32.exe Naoniipe.exe File created C:\Windows\SysWOW64\Kgoboqcm.dll Ojolhk32.exe File created C:\Windows\SysWOW64\Fdlhfbqi.dll Bhigphio.exe File opened for modification C:\Windows\SysWOW64\Boplllob.exe Blaopqpo.exe File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe Ojigbhlp.exe File created C:\Windows\SysWOW64\Heldepab.dll Ofjfhk32.exe File opened for modification C:\Windows\SysWOW64\Anlmmp32.exe Apimacnn.exe File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Qjjgclai.exe Qfokbnip.exe File created C:\Windows\SysWOW64\Ehkhilpb.dll Nkeelohh.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Hmlnoc32.exe Ghoegl32.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Olpdjf32.exe File created C:\Windows\SysWOW64\Oghiae32.dll Dbhnhp32.exe File opened for modification C:\Windows\SysWOW64\Hipkdnmf.exe Hojgfemq.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Aaolidlk.exe Afiglkle.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Eojnkg32.exe File created C:\Windows\SysWOW64\Kiqpop32.exe Kfbcbd32.exe File opened for modification C:\Windows\SysWOW64\Lmolnh32.exe Lollckbk.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pciifc32.exe File created C:\Windows\SysWOW64\Mfmhdknh.dll Fadminnn.exe File opened for modification C:\Windows\SysWOW64\Meijhc32.exe Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe Qiladcdh.exe File opened for modification C:\Windows\SysWOW64\Nglfapnl.exe Ndmjedoi.exe File opened for modification C:\Windows\SysWOW64\Fljafg32.exe Fadminnn.exe File created C:\Windows\SysWOW64\Lekjcmbe.dll Jofbag32.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Jmbiipml.exe File created C:\Windows\SysWOW64\Kgpjanje.exe Keanebkb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5404 5296 WerFault.exe 545 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gangic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jicgpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgpon32.dll" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkgklabn.dll" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccfhhffh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbqabkql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgjaf32.dll" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkepk32.dll" Oohqqlei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onbgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollfnfje.dll" Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpehocqo.dll" Homclekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hogmmjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Logbhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Nehmdhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhpnakf.dll" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poapfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aidnohbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll" Ghoegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jiondcpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlmlecec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkkmqnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll" Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odoghjmf.dll" Ikbgmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahdaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edobgb32.dll" Oegbheiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndmjedoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfqed32.dll" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mlibjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbgodfkh.dll" Noqamn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqapllgh.dll" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll" Kjdilgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amelne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkgmi32.dll" Mkgfckcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nolhan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nacgdhlp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2656 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2656 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2656 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 28 PID 1976 wrote to memory of 2656 1976 3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe 28 PID 2656 wrote to memory of 2692 2656 Bebkpn32.exe 29 PID 2656 wrote to memory of 2692 2656 Bebkpn32.exe 29 PID 2656 wrote to memory of 2692 2656 Bebkpn32.exe 29 PID 2656 wrote to memory of 2692 2656 Bebkpn32.exe 29 PID 2692 wrote to memory of 2724 2692 Blmdlhmp.exe 30 PID 2692 wrote to memory of 2724 2692 Blmdlhmp.exe 30 PID 2692 wrote to memory of 2724 2692 Blmdlhmp.exe 30 PID 2692 wrote to memory of 2724 2692 Blmdlhmp.exe 30 PID 2724 wrote to memory of 2636 2724 Bloqah32.exe 31 PID 2724 wrote to memory of 2636 2724 Bloqah32.exe 31 PID 2724 wrote to memory of 2636 2724 Bloqah32.exe 31 PID 2724 wrote to memory of 2636 2724 Bloqah32.exe 31 PID 2636 wrote to memory of 2452 2636 Bhfagipa.exe 32 PID 2636 wrote to memory of 2452 2636 Bhfagipa.exe 32 PID 2636 wrote to memory of 2452 2636 Bhfagipa.exe 32 PID 2636 wrote to memory of 2452 2636 Bhfagipa.exe 32 PID 2452 wrote to memory of 2508 2452 Bopicc32.exe 33 PID 2452 wrote to memory of 2508 2452 Bopicc32.exe 33 PID 2452 wrote to memory of 2508 2452 Bopicc32.exe 33 PID 2452 wrote to memory of 2508 2452 Bopicc32.exe 33 PID 2508 wrote to memory of 1424 2508 Bpafkknm.exe 34 PID 2508 wrote to memory of 1424 2508 Bpafkknm.exe 34 PID 2508 wrote to memory of 1424 2508 Bpafkknm.exe 34 PID 2508 wrote to memory of 1424 2508 Bpafkknm.exe 34 PID 1424 wrote to memory of 2524 1424 Cnippoha.exe 35 PID 1424 wrote to memory of 2524 1424 Cnippoha.exe 35 PID 1424 wrote to memory of 2524 1424 Cnippoha.exe 35 PID 1424 wrote to memory of 2524 1424 Cnippoha.exe 35 PID 2524 wrote to memory of 1728 2524 Cphlljge.exe 36 PID 2524 wrote to memory of 1728 2524 Cphlljge.exe 36 PID 2524 wrote to memory of 1728 2524 Cphlljge.exe 36 PID 2524 wrote to memory of 1728 2524 Cphlljge.exe 36 PID 1728 wrote to memory of 2108 1728 Ccfhhffh.exe 37 PID 1728 wrote to memory of 2108 1728 Ccfhhffh.exe 37 PID 1728 wrote to memory of 2108 1728 Ccfhhffh.exe 37 PID 1728 wrote to memory of 2108 1728 Ccfhhffh.exe 37 PID 2108 wrote to memory of 1588 2108 Cdlnkmha.exe 38 PID 2108 wrote to memory of 1588 2108 Cdlnkmha.exe 38 PID 2108 wrote to memory of 1588 2108 Cdlnkmha.exe 38 PID 2108 wrote to memory of 1588 2108 Cdlnkmha.exe 38 PID 1588 wrote to memory of 2016 1588 Cobbhfhg.exe 39 PID 1588 wrote to memory of 2016 1588 Cobbhfhg.exe 39 PID 1588 wrote to memory of 2016 1588 Cobbhfhg.exe 39 PID 1588 wrote to memory of 2016 1588 Cobbhfhg.exe 39 PID 2016 wrote to memory of 2116 2016 Dflkdp32.exe 40 PID 2016 wrote to memory of 2116 2016 Dflkdp32.exe 40 PID 2016 wrote to memory of 2116 2016 Dflkdp32.exe 40 PID 2016 wrote to memory of 2116 2016 Dflkdp32.exe 40 PID 2116 wrote to memory of 1836 2116 Dgmglh32.exe 41 PID 2116 wrote to memory of 1836 2116 Dgmglh32.exe 41 PID 2116 wrote to memory of 1836 2116 Dgmglh32.exe 41 PID 2116 wrote to memory of 1836 2116 Dgmglh32.exe 41 PID 1836 wrote to memory of 948 1836 Dqelenlc.exe 42 PID 1836 wrote to memory of 948 1836 Dqelenlc.exe 42 PID 1836 wrote to memory of 948 1836 Dqelenlc.exe 42 PID 1836 wrote to memory of 948 1836 Dqelenlc.exe 42 PID 948 wrote to memory of 1780 948 Dhmcfkme.exe 43 PID 948 wrote to memory of 1780 948 Dhmcfkme.exe 43 PID 948 wrote to memory of 1780 948 Dhmcfkme.exe 43 PID 948 wrote to memory of 1780 948 Dhmcfkme.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c6f855ed6a7306d02914e2c1931b450_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Eloemi32.exeC:\Windows\system32\Eloemi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Fhhcgj32.exeC:\Windows\system32\Fhhcgj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe33⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe34⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe35⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe36⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe37⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe40⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe41⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe42⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe43⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe44⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe45⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe46⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe50⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe51⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe53⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe54⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe55⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe56⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe58⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe59⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe60⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe61⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe62⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe63⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe64⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe65⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe66⤵PID:1128
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe67⤵PID:536
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe68⤵PID:1412
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe69⤵PID:760
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe70⤵PID:2272
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe71⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe72⤵PID:2660
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe73⤵PID:2236
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe74⤵PID:592
-
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe75⤵PID:2856
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe76⤵PID:2612
-
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe77⤵PID:276
-
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe80⤵PID:2788
-
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe81⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe82⤵PID:2900
-
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe83⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe84⤵PID:988
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe85⤵PID:1580
-
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe88⤵PID:2412
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe89⤵PID:300
-
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe90⤵PID:1436
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe91⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe92⤵
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe93⤵PID:2384
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe94⤵PID:1520
-
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe96⤵PID:1544
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe97⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe99⤵PID:1648
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe100⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe102⤵
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe103⤵PID:1784
-
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe105⤵PID:2616
-
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe106⤵PID:756
-
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe107⤵PID:2088
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe108⤵PID:1572
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe109⤵PID:2820
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe110⤵PID:528
-
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2040 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:680 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe113⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe114⤵PID:2284
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe115⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe116⤵PID:1512
-
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe117⤵PID:2716
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe118⤵PID:2160
-
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe119⤵PID:2256
-
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe120⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe121⤵
- Drops file in System32 directory
PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-