Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:06
Behavioral task
behavioral1
Sample
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe
-
Size
256KB
-
MD5
5479c93625eb65150f5d4121adb22a70
-
SHA1
58e2a68ca78fa79bdbe21b5d64dc98eafed14755
-
SHA256
63aa66a0b5473119ab951194a9c1bb79098eb42932db85fec7c49ef2af106153
-
SHA512
7dce4487ad028498a39a76cd5120477bc2b390dcdf6ca70e6d563aa5113082439dedb2ac4dcdb6ef4e60091930cd1659c29693f739813a254dccc71f0dd5b2d7
-
SSDEEP
6144:WiRRqxZWbjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:nRqCPlpJxifbWGRdA6sQhPbWGRdA6sQi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjhabndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfckcoen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cngcll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqgddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmblnif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmpooah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfdie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edclib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgjnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbaopdj.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2856-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000d000000014698-5.dat family_berbew behavioral1/memory/2856-6-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2856-13-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0008000000015364-23.dat family_berbew behavioral1/files/0x00070000000155d9-40.dat family_berbew behavioral1/files/0x0008000000015d88-47.dat family_berbew behavioral1/files/0x0006000000016d11-60.dat family_berbew behavioral1/memory/2500-68-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d36-74.dat family_berbew behavioral1/memory/2500-80-0x00000000002D0000-0x0000000000310000-memory.dmp family_berbew behavioral1/memory/2632-62-0x00000000002C0000-0x0000000000300000-memory.dmp family_berbew behavioral1/memory/2632-58-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d4a-87.dat family_berbew behavioral1/files/0x0011000000014e3d-100.dat family_berbew behavioral1/memory/592-101-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2588-121-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016d84-122.dat family_berbew behavioral1/files/0x0006000000016e56-135.dat family_berbew behavioral1/files/0x0006000000017090-142.dat family_berbew behavioral1/memory/2760-147-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/files/0x0005000000018698-153.dat family_berbew behavioral1/memory/1980-161-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018ae2-167.dat family_berbew behavioral1/memory/1980-172-0x00000000001B0000-0x00000000001F0000-memory.dmp family_berbew behavioral1/memory/2692-175-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b15-181.dat family_berbew behavioral1/memory/2068-203-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/676-230-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000192c9-249.dat family_berbew behavioral1/memory/840-250-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001931b-258.dat family_berbew behavioral1/memory/840-259-0x00000000003C0000-0x0000000000400000-memory.dmp family_berbew behavioral1/memory/2452-275-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000500000001939b-277.dat family_berbew behavioral1/files/0x0005000000019410-288.dat family_berbew behavioral1/memory/2140-298-0x0000000000260000-0x00000000002A0000-memory.dmp family_berbew behavioral1/memory/2140-292-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001946f-301.dat family_berbew behavioral1/files/0x0005000000019485-310.dat family_berbew behavioral1/files/0x00040000000194dc-330.dat family_berbew behavioral1/memory/1140-334-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2552-358-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2552-364-0x00000000002E0000-0x0000000000320000-memory.dmp family_berbew behavioral1/memory/2496-370-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019521-372.dat family_berbew behavioral1/memory/2640-399-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2944-397-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x00050000000195a4-407.dat family_berbew behavioral1/files/0x00050000000195a7-416.dat family_berbew behavioral1/files/0x00050000000195a9-427.dat family_berbew behavioral1/memory/2696-435-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000195ba-438.dat family_berbew behavioral1/memory/1636-449-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/memory/2096-464-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2460-487-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019ce6-492.dat family_berbew behavioral1/files/0x0005000000019d59-504.dat family_berbew behavioral1/files/0x0005000000019f60-515.dat family_berbew behavioral1/files/0x000500000001a013-528.dat family_berbew behavioral1/memory/2632-495-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2612-486-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/956-484-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019bef-481.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2096 Aojojl32.exe 2472 Aoohekal.exe 2612 Aapemc32.exe 2632 Ajhiei32.exe 2500 Acqnnndl.exe 2912 Bibpad32.exe 592 Bffpki32.exe 2348 Bfhmqhkd.exe 2588 Bfkifhib.exe 2760 Cpcnonob.exe 2168 Cikbhc32.exe 1980 Ckolek32.exe 2692 Cdgpnqpo.exe 768 Cpnaca32.exe 2068 Dpqnhadq.exe 2820 Diibag32.exe 676 Dbafjlaa.exe 1096 Dmgkgeah.exe 840 Dinklffl.exe 2452 Dhbhmb32.exe 1844 Dchmkkkj.exe 1624 Elqaca32.exe 2140 Eeielfhk.exe 2084 Egjbdo32.exe 2188 Eabcggll.exe 2248 Egokonjc.exe 1140 Edclib32.exe 2192 Enkpahon.exe 2552 Fffefjmi.exe 2496 Foojop32.exe 2388 Fhgnge32.exe 2944 Fmegncpp.exe 2640 Fnfcel32.exe 2888 Findhdcb.exe 1396 Gjpqpl32.exe 2696 Gcheib32.exe 1636 Gkomjo32.exe 2568 Ggfnopfg.exe 2576 Gqnbhf32.exe 956 Gcmoda32.exe 2460 Giiglhjb.exe 1436 Gpcoib32.exe 1712 Gmgpbf32.exe 2160 Gpelnb32.exe 1552 Hnkion32.exe 1028 Hloiib32.exe 2284 Imleli32.exe 1732 Ieigfk32.exe 2832 Ilcoce32.exe 2336 Ibmgpoia.exe 308 Ielclkhe.exe 1528 Jlelhe32.exe 2492 Jbpdeogo.exe 2652 Jhlmmfef.exe 2508 Jkkija32.exe 2636 Jdcmbgkj.exe 2996 Joiappkp.exe 2232 Jpjngh32.exe 2604 Jgdfdbhk.exe 2340 Jjbbpmgo.exe 1608 Jdhgnf32.exe 2700 Jkbojpna.exe 2812 Jlckbh32.exe 2532 Kfkpknkq.exe -
Loads dropped DLL 64 IoCs
pid Process 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 2096 Aojojl32.exe 2096 Aojojl32.exe 2472 Aoohekal.exe 2472 Aoohekal.exe 2612 Aapemc32.exe 2612 Aapemc32.exe 2632 Ajhiei32.exe 2632 Ajhiei32.exe 2500 Acqnnndl.exe 2500 Acqnnndl.exe 2912 Bibpad32.exe 2912 Bibpad32.exe 592 Bffpki32.exe 592 Bffpki32.exe 2348 Bfhmqhkd.exe 2348 Bfhmqhkd.exe 2588 Bfkifhib.exe 2588 Bfkifhib.exe 2760 Cpcnonob.exe 2760 Cpcnonob.exe 2168 Cikbhc32.exe 2168 Cikbhc32.exe 1980 Ckolek32.exe 1980 Ckolek32.exe 2692 Cdgpnqpo.exe 2692 Cdgpnqpo.exe 768 Cpnaca32.exe 768 Cpnaca32.exe 2068 Dpqnhadq.exe 2068 Dpqnhadq.exe 2820 Diibag32.exe 2820 Diibag32.exe 676 Dbafjlaa.exe 676 Dbafjlaa.exe 1096 Dmgkgeah.exe 1096 Dmgkgeah.exe 840 Dinklffl.exe 840 Dinklffl.exe 2452 Dhbhmb32.exe 2452 Dhbhmb32.exe 1844 Dchmkkkj.exe 1844 Dchmkkkj.exe 1624 Elqaca32.exe 1624 Elqaca32.exe 2140 Eeielfhk.exe 2140 Eeielfhk.exe 2084 Egjbdo32.exe 2084 Egjbdo32.exe 2188 Eabcggll.exe 2188 Eabcggll.exe 2248 Egokonjc.exe 2248 Egokonjc.exe 1140 Edclib32.exe 1140 Edclib32.exe 2192 Enkpahon.exe 2192 Enkpahon.exe 2552 Fffefjmi.exe 2552 Fffefjmi.exe 2496 Foojop32.exe 2496 Foojop32.exe 2388 Fhgnge32.exe 2388 Fhgnge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lckfmpgk.dll Aanibhoh.exe File opened for modification C:\Windows\SysWOW64\Okbpde32.exe Odhhgkib.exe File opened for modification C:\Windows\SysWOW64\Kmqmod32.exe Jdhifooi.exe File created C:\Windows\SysWOW64\Gqahqd32.exe Goplilpf.exe File opened for modification C:\Windows\SysWOW64\Dcbnpgkh.exe Dbabho32.exe File created C:\Windows\SysWOW64\Gkomjo32.exe Gcheib32.exe File created C:\Windows\SysWOW64\Dfcaiilc.dll Jkbojpna.exe File created C:\Windows\SysWOW64\Nohddd32.exe Npechhgd.exe File created C:\Windows\SysWOW64\Afffenbp.exe Achjibcl.exe File created C:\Windows\SysWOW64\Fgpcof32.dll Jjijkmbi.exe File created C:\Windows\SysWOW64\Cmojeo32.dll Jmfcop32.exe File opened for modification C:\Windows\SysWOW64\Apkihofl.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Kkoncdcp.exe Kfbfkmeh.exe File created C:\Windows\SysWOW64\Bhimbk32.dll Nnleiipc.exe File created C:\Windows\SysWOW64\Djdjalea.exe Dfinam32.exe File created C:\Windows\SysWOW64\Hiockd32.exe Process not Found File created C:\Windows\SysWOW64\Qeeheknp.dll Nbflno32.exe File created C:\Windows\SysWOW64\Kidjdpie.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Jhfhec32.dll Jpmooind.exe File created C:\Windows\SysWOW64\Monann32.dll Kapaaj32.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Qpamoa32.exe Qmbqcf32.exe File created C:\Windows\SysWOW64\Cfcijf32.exe Clmdmm32.exe File created C:\Windows\SysWOW64\Aqcifjof.dll Paiaplin.exe File created C:\Windows\SysWOW64\Jfmgba32.dll Hffibceh.exe File created C:\Windows\SysWOW64\Eojkndbh.dll Hcdifa32.exe File created C:\Windows\SysWOW64\Lbeede32.dll Maldfbjn.exe File created C:\Windows\SysWOW64\Oikbkegk.dll Hokhbj32.exe File created C:\Windows\SysWOW64\Cmhjdiap.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Ifigco32.dll Hjofdi32.exe File created C:\Windows\SysWOW64\Meabakda.exe Mjkndb32.exe File created C:\Windows\SysWOW64\Fogibnha.exe Fnflke32.exe File created C:\Windows\SysWOW64\Kjdepgcg.dll Hfbcidmk.exe File created C:\Windows\SysWOW64\Pghaaidm.dll Ofcqcp32.exe File opened for modification C:\Windows\SysWOW64\Eheglk32.exe Dbiocd32.exe File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Aklabp32.exe File created C:\Windows\SysWOW64\Dokggo32.dll Elibpg32.exe File opened for modification C:\Windows\SysWOW64\Eegmhhie.exe Enneln32.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jgabdlfb.exe File created C:\Windows\SysWOW64\Egnpaigk.dll Pfbfhm32.exe File created C:\Windows\SysWOW64\Neajod32.dll Ldbjdj32.exe File opened for modification C:\Windows\SysWOW64\Fmaqgaae.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mpopnejo.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Loefnpnn.exe File opened for modification C:\Windows\SysWOW64\Boobki32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Glbaei32.exe Gehiioaj.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jmipdo32.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hgbfnngi.exe File created C:\Windows\SysWOW64\Blibjh32.dll Bfhmqhkd.exe File opened for modification C:\Windows\SysWOW64\Jgdfdbhk.exe Jpjngh32.exe File created C:\Windows\SysWOW64\Olbkimdk.dll Process not Found File created C:\Windows\SysWOW64\Djgfgkbo.exe Dcmnja32.exe File created C:\Windows\SysWOW64\Aeganjdl.dll Odacbpee.exe File created C:\Windows\SysWOW64\Achjibcl.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Kdmban32.exe Kigndekn.exe File created C:\Windows\SysWOW64\Lmjqcd32.dll Dkmljcdh.exe File created C:\Windows\SysWOW64\Jecnnk32.exe Jjnjqb32.exe File created C:\Windows\SysWOW64\Pcpgblfk.dll Ochenfdn.exe File opened for modification C:\Windows\SysWOW64\Hcojam32.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Cogfqe32.exe Cmhjdiap.exe File opened for modification C:\Windows\SysWOW64\Enmnahnm.exe Ecgjdong.exe File created C:\Windows\SysWOW64\Ojoppamn.dll Ioefdpne.exe File created C:\Windows\SysWOW64\Dflpeo32.dll Jqpebg32.exe File created C:\Windows\SysWOW64\Dimkiekk.dll Lhfefgkg.exe -
Program crash 1 IoCs
pid pid_target Process 6976 4404 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckqmd32.dll" Jhahanie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhgnpbp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clmdmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjkcc32.dll" Hmfmkjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemkpefi.dll" Djgfgkbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll" Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deeqch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghaaidm.dll" Ofcqcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Abnopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlboaceh.dll" Oadkej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmepdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpgeall.dll" Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll" Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbioqbg.dll" Ogofkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjagic.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Bckefnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkndb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacmhh32.dll" Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafimk32.dll" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehhiell.dll" Ccmblnif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmlmc32.dll" Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Magdam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojmpooah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlqmmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfejbj.dll" Kncaojfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kfnmpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Lmpeljkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidlkkk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egokonjc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2096 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2096 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2096 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 28 PID 2856 wrote to memory of 2096 2856 5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe 771 PID 2096 wrote to memory of 2472 2096 Aojojl32.exe 29 PID 2096 wrote to memory of 2472 2096 Aojojl32.exe 29 PID 2096 wrote to memory of 2472 2096 Aojojl32.exe 29 PID 2096 wrote to memory of 2472 2096 Aojojl32.exe 29 PID 2472 wrote to memory of 2612 2472 Aoohekal.exe 30 PID 2472 wrote to memory of 2612 2472 Aoohekal.exe 30 PID 2472 wrote to memory of 2612 2472 Aoohekal.exe 30 PID 2472 wrote to memory of 2612 2472 Aoohekal.exe 30 PID 2612 wrote to memory of 2632 2612 Aapemc32.exe 31 PID 2612 wrote to memory of 2632 2612 Aapemc32.exe 31 PID 2612 wrote to memory of 2632 2612 Aapemc32.exe 31 PID 2612 wrote to memory of 2632 2612 Aapemc32.exe 31 PID 2632 wrote to memory of 2500 2632 Ajhiei32.exe 1186 PID 2632 wrote to memory of 2500 2632 Ajhiei32.exe 1186 PID 2632 wrote to memory of 2500 2632 Ajhiei32.exe 1186 PID 2632 wrote to memory of 2500 2632 Ajhiei32.exe 1186 PID 2500 wrote to memory of 2912 2500 Acqnnndl.exe 1142 PID 2500 wrote to memory of 2912 2500 Acqnnndl.exe 1142 PID 2500 wrote to memory of 2912 2500 Acqnnndl.exe 1142 PID 2500 wrote to memory of 2912 2500 Acqnnndl.exe 1142 PID 2912 wrote to memory of 592 2912 Bibpad32.exe 34 PID 2912 wrote to memory of 592 2912 Bibpad32.exe 34 PID 2912 wrote to memory of 592 2912 Bibpad32.exe 34 PID 2912 wrote to memory of 592 2912 Bibpad32.exe 34 PID 592 wrote to memory of 2348 592 Bffpki32.exe 35 PID 592 wrote to memory of 2348 592 Bffpki32.exe 35 PID 592 wrote to memory of 2348 592 Bffpki32.exe 35 PID 592 wrote to memory of 2348 592 Bffpki32.exe 35 PID 2348 wrote to memory of 2588 2348 Bfhmqhkd.exe 36 PID 2348 wrote to memory of 2588 2348 Bfhmqhkd.exe 36 PID 2348 wrote to memory of 2588 2348 Bfhmqhkd.exe 36 PID 2348 wrote to memory of 2588 2348 Bfhmqhkd.exe 36 PID 2588 wrote to memory of 2760 2588 Bfkifhib.exe 37 PID 2588 wrote to memory of 2760 2588 Bfkifhib.exe 37 PID 2588 wrote to memory of 2760 2588 Bfkifhib.exe 37 PID 2588 wrote to memory of 2760 2588 Bfkifhib.exe 37 PID 2760 wrote to memory of 2168 2760 Cpcnonob.exe 38 PID 2760 wrote to memory of 2168 2760 Cpcnonob.exe 38 PID 2760 wrote to memory of 2168 2760 Cpcnonob.exe 38 PID 2760 wrote to memory of 2168 2760 Cpcnonob.exe 38 PID 2168 wrote to memory of 1980 2168 Cikbhc32.exe 39 PID 2168 wrote to memory of 1980 2168 Cikbhc32.exe 39 PID 2168 wrote to memory of 1980 2168 Cikbhc32.exe 39 PID 2168 wrote to memory of 1980 2168 Cikbhc32.exe 39 PID 1980 wrote to memory of 2692 1980 Ckolek32.exe 40 PID 1980 wrote to memory of 2692 1980 Ckolek32.exe 40 PID 1980 wrote to memory of 2692 1980 Ckolek32.exe 40 PID 1980 wrote to memory of 2692 1980 Ckolek32.exe 40 PID 2692 wrote to memory of 768 2692 Cdgpnqpo.exe 41 PID 2692 wrote to memory of 768 2692 Cdgpnqpo.exe 41 PID 2692 wrote to memory of 768 2692 Cdgpnqpo.exe 41 PID 2692 wrote to memory of 768 2692 Cdgpnqpo.exe 41 PID 768 wrote to memory of 2068 768 Cpnaca32.exe 42 PID 768 wrote to memory of 2068 768 Cpnaca32.exe 42 PID 768 wrote to memory of 2068 768 Cpnaca32.exe 42 PID 768 wrote to memory of 2068 768 Cpnaca32.exe 42 PID 2068 wrote to memory of 2820 2068 Dpqnhadq.exe 573 PID 2068 wrote to memory of 2820 2068 Dpqnhadq.exe 573 PID 2068 wrote to memory of 2820 2068 Dpqnhadq.exe 573 PID 2068 wrote to memory of 2820 2068 Dpqnhadq.exe 573
Processes
-
C:\Users\Admin\AppData\Local\Temp\5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5479c93625eb65150f5d4121adb22a70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:676 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe33⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe35⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe36⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe39⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe40⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe41⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe42⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe43⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe44⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe45⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe47⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe48⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe51⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe52⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe53⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe54⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe55⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe56⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe57⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe60⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe64⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe65⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe66⤵PID:2228
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe67⤵PID:2548
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe68⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe69⤵PID:1808
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe70⤵PID:3044
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe71⤵PID:2804
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe72⤵PID:1648
-
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe73⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe74⤵PID:2136
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe75⤵PID:892
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe76⤵PID:2252
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe77⤵PID:2384
-
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe78⤵PID:2752
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe79⤵PID:2600
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe80⤵PID:1928
-
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe81⤵PID:2468
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe82⤵PID:2852
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe83⤵PID:1384
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe84⤵PID:1344
-
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe85⤵PID:2320
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe86⤵PID:2128
-
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe88⤵PID:3052
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe89⤵PID:2076
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe90⤵PID:1708
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe91⤵PID:2784
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe92⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe93⤵PID:2148
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe94⤵PID:2480
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe95⤵PID:1068
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe98⤵PID:1088
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe99⤵PID:2256
-
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe100⤵PID:1984
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe101⤵PID:1452
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe102⤵PID:2740
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe103⤵PID:2000
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe105⤵PID:3016
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe106⤵PID:2056
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe107⤵PID:3032
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe108⤵PID:2176
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe109⤵PID:2376
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe110⤵PID:2564
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe111⤵PID:1840
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe112⤵PID:896
-
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe113⤵PID:1656
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe114⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe115⤵PID:948
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe116⤵PID:2300
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe117⤵PID:696
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe118⤵PID:2680
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe119⤵PID:2280
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe120⤵PID:2628
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe121⤵PID:1748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-