Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:25
Behavioral task
behavioral1
Sample
5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe
-
Size
256KB
-
MD5
5c38058c8f8c26b73af1a1a6f8f99e90
-
SHA1
150c2235ffc532ee305e56cc45fee9c7dbef8cea
-
SHA256
63d4f504bbb367d3f2a8607f69c695d2a79f0360b7fe0530ae0693aca008d108
-
SHA512
470cfbf45fb0a8bf8be2b45fd779eb6e5013577073018a710fbc8e4d4800a81b4eed9ee5d648ed1e66eb6c9ffbec20d7f9d761b0eaafa24156fdd71fb13f01d6
-
SSDEEP
6144:iJ1tHUIApSgWPjlpmmxieQbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRU:it0IApU7lpJxifbWGRdA6sQhPbWGRdAT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgilchkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkqqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgqcmlgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inljnfkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkknojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgpjanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafbbph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcdkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijgdngmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemdecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biamilfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnfhlin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkfdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdeeqehb.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1936-4-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000c0000000167ef-5.dat family_berbew behavioral1/memory/1936-6-0x00000000005D0000-0x0000000000610000-memory.dmp family_berbew behavioral1/files/0x0007000000016cf5-18.dat family_berbew behavioral1/memory/2508-27-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000016d06-39.dat family_berbew behavioral1/memory/2824-22-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000a000000016d1f-49.dat family_berbew behavioral1/memory/2528-53-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000017474-66.dat family_berbew behavioral1/memory/2536-67-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0031000000018649-82.dat family_berbew behavioral1/files/0x0005000000018664-96.dat family_berbew behavioral1/files/0x00050000000186cf-109.dat family_berbew behavioral1/files/0x0005000000018765-137.dat family_berbew behavioral1/files/0x0005000000019233-156.dat family_berbew behavioral1/files/0x0005000000019260-176.dat family_berbew behavioral1/memory/2216-210-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000193eb-220.dat family_berbew behavioral1/memory/836-234-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/452-255-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000195e2-258.dat family_berbew behavioral1/memory/808-265-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00050000000195e6-268.dat family_berbew behavioral1/files/0x0034000000016cc9-302.dat family_berbew behavioral1/memory/2268-317-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2268-332-0x00000000002F0000-0x0000000000330000-memory.dmp family_berbew behavioral1/memory/2516-343-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1240-394-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0005000000019c2d-400.dat family_berbew behavioral1/files/0x0005000000019d96-422.dat family_berbew behavioral1/memory/2020-437-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1972-449-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001a42c-477.dat family_berbew behavioral1/files/0x000500000001a43b-499.dat family_berbew behavioral1/files/0x000500000001a488-512.dat family_berbew behavioral1/files/0x000500000001a49c-521.dat family_berbew behavioral1/files/0x000500000001a4aa-532.dat family_berbew behavioral1/files/0x000500000001a4b6-554.dat family_berbew behavioral1/files/0x000500000001a4be-574.dat family_berbew behavioral1/files/0x000500000001a4cf-618.dat family_berbew behavioral1/files/0x000500000001a4d8-637.dat family_berbew behavioral1/files/0x000500000001a4e4-662.dat family_berbew behavioral1/files/0x000500000001c64f-743.dat family_berbew behavioral1/files/0x000500000001c71e-753.dat family_berbew behavioral1/files/0x000500000001c77c-777.dat family_berbew behavioral1/files/0x000500000001c857-822.dat family_berbew behavioral1/files/0x000500000001c875-848.dat family_berbew behavioral1/files/0x000500000001c895-896.dat family_berbew behavioral1/files/0x000500000001c8a5-937.dat family_berbew behavioral1/files/0x000500000001c8b2-976.dat family_berbew behavioral1/files/0x000500000001c8ba-998.dat family_berbew behavioral1/files/0x000500000001c8c6-1036.dat family_berbew behavioral1/files/0x000400000001c946-1064.dat family_berbew behavioral1/files/0x000400000001c95c-1089.dat family_berbew behavioral1/files/0x000400000001cb5b-1143.dat family_berbew behavioral1/files/0x000400000001cb05-1128.dat family_berbew behavioral1/files/0x000400000001cb7f-1184.dat family_berbew behavioral1/files/0x000400000001cbad-1230.dat family_berbew behavioral1/files/0x000400000001cbc5-1252.dat family_berbew behavioral1/files/0x000400000001cc09-1303.dat family_berbew behavioral1/files/0x000400000001cc83-1355.dat family_berbew behavioral1/files/0x000400000001cdaf-1512.dat family_berbew behavioral1/files/0x000400000001cede-1547.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2824 Ddokpmfo.exe 2508 Dbbkja32.exe 2724 Dkkpbgli.exe 2528 Dnilobkm.exe 2536 Ddcdkl32.exe 2436 Dgaqgh32.exe 2336 Dnlidb32.exe 888 Ddeaalpg.exe 1632 Dgdmmgpj.exe 2140 Djbiicon.exe 380 Dnneja32.exe 540 Doobajme.exe 1168 Dgfjbgmh.exe 3028 Djefobmk.exe 2216 Emcbkn32.exe 3036 Ecmkghcl.exe 836 Ejgcdb32.exe 1480 Ekholjqg.exe 452 Emhlfmgj.exe 808 Ekklaj32.exe 960 Ebedndfa.exe 2928 Eiomkn32.exe 1872 Elmigj32.exe 992 Enkece32.exe 2268 Eajaoq32.exe 2080 Eeempocb.exe 2516 Egdilkbf.exe 2524 Ebinic32.exe 2096 Ealnephf.exe 2368 Fhffaj32.exe 1688 Fjdbnf32.exe 1240 Fmcoja32.exe 2792 Fejgko32.exe 376 Fcmgfkeg.exe 1568 Ffkcbgek.exe 2020 Faagpp32.exe 1972 Fdoclk32.exe 2972 Fmhheqje.exe 2340 Facdeo32.exe 1084 Fdapak32.exe 2700 Ffpmnf32.exe 384 Fioija32.exe 1552 Fmjejphb.exe 1412 Fddmgjpo.exe 2060 Ffbicfoc.exe 1736 Fmlapp32.exe 884 Gpknlk32.exe 1064 Gfefiemq.exe 1536 Gicbeald.exe 1660 Ghfbqn32.exe 2360 Gpmjak32.exe 2852 Gbkgnfbd.exe 1368 Gangic32.exe 2152 Gejcjbah.exe 2124 Gieojq32.exe 1036 Gldkfl32.exe 1516 Gkgkbipp.exe 2612 Gbnccfpb.exe 1252 Gaqcoc32.exe 1220 Gdopkn32.exe 2068 Ghkllmoi.exe 496 Gkihhhnm.exe 2804 Goddhg32.exe 1572 Gacpdbej.exe -
Loads dropped DLL 64 IoCs
pid Process 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 2824 Ddokpmfo.exe 2824 Ddokpmfo.exe 2508 Dbbkja32.exe 2508 Dbbkja32.exe 2724 Dkkpbgli.exe 2724 Dkkpbgli.exe 2528 Dnilobkm.exe 2528 Dnilobkm.exe 2536 Ddcdkl32.exe 2536 Ddcdkl32.exe 2436 Dgaqgh32.exe 2436 Dgaqgh32.exe 2336 Dnlidb32.exe 2336 Dnlidb32.exe 888 Ddeaalpg.exe 888 Ddeaalpg.exe 1632 Dgdmmgpj.exe 1632 Dgdmmgpj.exe 2140 Djbiicon.exe 2140 Djbiicon.exe 380 Dnneja32.exe 380 Dnneja32.exe 540 Doobajme.exe 540 Doobajme.exe 1168 Dgfjbgmh.exe 1168 Dgfjbgmh.exe 3028 Djefobmk.exe 3028 Djefobmk.exe 2216 Emcbkn32.exe 2216 Emcbkn32.exe 3036 Ecmkghcl.exe 3036 Ecmkghcl.exe 836 Ejgcdb32.exe 836 Ejgcdb32.exe 1480 Ekholjqg.exe 1480 Ekholjqg.exe 452 Emhlfmgj.exe 452 Emhlfmgj.exe 808 Ekklaj32.exe 808 Ekklaj32.exe 960 Ebedndfa.exe 960 Ebedndfa.exe 2928 Eiomkn32.exe 2928 Eiomkn32.exe 1872 Elmigj32.exe 1872 Elmigj32.exe 992 Enkece32.exe 992 Enkece32.exe 2268 Eajaoq32.exe 2268 Eajaoq32.exe 2080 Eeempocb.exe 2080 Eeempocb.exe 2516 Egdilkbf.exe 2516 Egdilkbf.exe 2524 Ebinic32.exe 2524 Ebinic32.exe 2096 Ealnephf.exe 2096 Ealnephf.exe 2368 Fhffaj32.exe 2368 Fhffaj32.exe 1688 Fjdbnf32.exe 1688 Fjdbnf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lollckbk.exe Lkppbl32.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Echfaf32.exe File created C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Ljdjcj32.dll Jnemdecl.exe File created C:\Windows\SysWOW64\Ekklaj32.exe Emhlfmgj.exe File created C:\Windows\SysWOW64\Lhpfqama.exe Limfed32.exe File opened for modification C:\Windows\SysWOW64\Pnjdhmdo.exe Pogclp32.exe File opened for modification C:\Windows\SysWOW64\Obmhdd32.dll Pggbla32.exe File created C:\Windows\SysWOW64\Hhijaf32.dll Ebmgcohn.exe File created C:\Windows\SysWOW64\Eqbddk32.exe Endhhp32.exe File created C:\Windows\SysWOW64\Edpmjj32.exe Eqdajkkb.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Mghjoa32.dll Dbbkja32.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mpfkqb32.exe File opened for modification C:\Windows\SysWOW64\Qfokbnip.exe Qbcpbo32.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Bfadgq32.exe Bhndldcn.exe File created C:\Windows\SysWOW64\Bplpldoa.dll Bfenbpec.exe File created C:\Windows\SysWOW64\Gangic32.exe Gbkgnfbd.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hiekid32.exe File created C:\Windows\SysWOW64\Ahikqd32.exe Adnopfoj.exe File opened for modification C:\Windows\SysWOW64\Ddcdkl32.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Hckcmjep.exe Hpmgqnfl.exe File opened for modification C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File created C:\Windows\SysWOW64\Niaokh32.dll Ijgdngmf.exe File created C:\Windows\SysWOW64\Acjobj32.dll Ldfgebbe.exe File created C:\Windows\SysWOW64\Ikpjgkjq.exe Ihankokm.exe File created C:\Windows\SysWOW64\Copeil32.dll Jmocpado.exe File opened for modification C:\Windows\SysWOW64\Kpmlkp32.exe Kaklpcoc.exe File created C:\Windows\SysWOW64\Lidengnp.dll Abhimnma.exe File created C:\Windows\SysWOW64\Bhndldcn.exe Bdbhke32.exe File created C:\Windows\SysWOW64\Fdlhfbqi.dll Bppoqeja.exe File opened for modification C:\Windows\SysWOW64\Iqopea32.exe Inqcif32.exe File created C:\Windows\SysWOW64\Lmcijcbe.exe Lemaif32.exe File opened for modification C:\Windows\SysWOW64\Mkgfckcj.exe Mgljbm32.exe File created C:\Windows\SysWOW64\Moljch32.dll Aipddi32.exe File created C:\Windows\SysWOW64\Iecenlqh.dll Bkommo32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bmpfojmp.exe File created C:\Windows\SysWOW64\Jmjjea32.exe Jjlnif32.exe File opened for modification C:\Windows\SysWOW64\Jfekcg32.exe Jcgogk32.exe File created C:\Windows\SysWOW64\Ndpfkdmf.exe Naajoinb.exe File opened for modification C:\Windows\SysWOW64\Oonafa32.exe Olpdjf32.exe File opened for modification C:\Windows\SysWOW64\Ocimgp32.exe Oonafa32.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Ojcecjee.exe File opened for modification C:\Windows\SysWOW64\Ajhgmpfg.exe Alegac32.exe File opened for modification C:\Windows\SysWOW64\Bkommo32.exe Bfcampgf.exe File opened for modification C:\Windows\SysWOW64\Pbkafj32.dll Cdbdjhmp.exe File created C:\Windows\SysWOW64\Emnndlod.exe Emnndlod.exe File created C:\Windows\SysWOW64\Kclhicjn.dll Bblogakg.exe File opened for modification C:\Windows\SysWOW64\Ijeghgoh.exe Iggkllpe.exe File created C:\Windows\SysWOW64\Amkoie32.dll Obcccl32.exe File created C:\Windows\SysWOW64\Pklhlael.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pnajilng.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bioqclil.exe File opened for modification C:\Windows\SysWOW64\Ceaadk32.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe Dccagcgk.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jifdebic.exe File created C:\Windows\SysWOW64\Omkepc32.dll Nceclqan.exe File created C:\Windows\SysWOW64\Amfcikek.exe Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Olpdjf32.exe Onmdoioa.exe File created C:\Windows\SysWOW64\Pmanoifd.exe Pnomcl32.exe -
Program crash 1 IoCs
pid pid_target Process 6228 6200 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmfoi32.dll" Jfghif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaobdjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglhipbb.dll" Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgcdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpkofpgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihankokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoamnbaf.dll" Kahojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjlmo32.dll" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geolea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchafg32.dll" Dpeekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necfoajd.dll" Oclilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjebn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfjbgmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngogde32.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjqnjkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnqqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknekeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdkqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddcahee.dll" Ogblbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnemdecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkbhikj.dll" Qpecfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" Dlnbeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2824 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2824 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2824 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 2824 1936 5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe 28 PID 2824 wrote to memory of 2508 2824 Ddokpmfo.exe 29 PID 2824 wrote to memory of 2508 2824 Ddokpmfo.exe 29 PID 2824 wrote to memory of 2508 2824 Ddokpmfo.exe 29 PID 2824 wrote to memory of 2508 2824 Ddokpmfo.exe 29 PID 2508 wrote to memory of 2724 2508 Dbbkja32.exe 30 PID 2508 wrote to memory of 2724 2508 Dbbkja32.exe 30 PID 2508 wrote to memory of 2724 2508 Dbbkja32.exe 30 PID 2508 wrote to memory of 2724 2508 Dbbkja32.exe 30 PID 2724 wrote to memory of 2528 2724 Dkkpbgli.exe 31 PID 2724 wrote to memory of 2528 2724 Dkkpbgli.exe 31 PID 2724 wrote to memory of 2528 2724 Dkkpbgli.exe 31 PID 2724 wrote to memory of 2528 2724 Dkkpbgli.exe 31 PID 2528 wrote to memory of 2536 2528 Dnilobkm.exe 32 PID 2528 wrote to memory of 2536 2528 Dnilobkm.exe 32 PID 2528 wrote to memory of 2536 2528 Dnilobkm.exe 32 PID 2528 wrote to memory of 2536 2528 Dnilobkm.exe 32 PID 2536 wrote to memory of 2436 2536 Ddcdkl32.exe 33 PID 2536 wrote to memory of 2436 2536 Ddcdkl32.exe 33 PID 2536 wrote to memory of 2436 2536 Ddcdkl32.exe 33 PID 2536 wrote to memory of 2436 2536 Ddcdkl32.exe 33 PID 2436 wrote to memory of 2336 2436 Dgaqgh32.exe 34 PID 2436 wrote to memory of 2336 2436 Dgaqgh32.exe 34 PID 2436 wrote to memory of 2336 2436 Dgaqgh32.exe 34 PID 2436 wrote to memory of 2336 2436 Dgaqgh32.exe 34 PID 2336 wrote to memory of 888 2336 Dnlidb32.exe 35 PID 2336 wrote to memory of 888 2336 Dnlidb32.exe 35 PID 2336 wrote to memory of 888 2336 Dnlidb32.exe 35 PID 2336 wrote to memory of 888 2336 Dnlidb32.exe 35 PID 888 wrote to memory of 1632 888 Ddeaalpg.exe 36 PID 888 wrote to memory of 1632 888 Ddeaalpg.exe 36 PID 888 wrote to memory of 1632 888 Ddeaalpg.exe 36 PID 888 wrote to memory of 1632 888 Ddeaalpg.exe 36 PID 1632 wrote to memory of 2140 1632 Dgdmmgpj.exe 37 PID 1632 wrote to memory of 2140 1632 Dgdmmgpj.exe 37 PID 1632 wrote to memory of 2140 1632 Dgdmmgpj.exe 37 PID 1632 wrote to memory of 2140 1632 Dgdmmgpj.exe 37 PID 2140 wrote to memory of 380 2140 Djbiicon.exe 38 PID 2140 wrote to memory of 380 2140 Djbiicon.exe 38 PID 2140 wrote to memory of 380 2140 Djbiicon.exe 38 PID 2140 wrote to memory of 380 2140 Djbiicon.exe 38 PID 380 wrote to memory of 540 380 Dnneja32.exe 39 PID 380 wrote to memory of 540 380 Dnneja32.exe 39 PID 380 wrote to memory of 540 380 Dnneja32.exe 39 PID 380 wrote to memory of 540 380 Dnneja32.exe 39 PID 540 wrote to memory of 1168 540 Doobajme.exe 40 PID 540 wrote to memory of 1168 540 Doobajme.exe 40 PID 540 wrote to memory of 1168 540 Doobajme.exe 40 PID 540 wrote to memory of 1168 540 Doobajme.exe 40 PID 1168 wrote to memory of 3028 1168 Dgfjbgmh.exe 41 PID 1168 wrote to memory of 3028 1168 Dgfjbgmh.exe 41 PID 1168 wrote to memory of 3028 1168 Dgfjbgmh.exe 41 PID 1168 wrote to memory of 3028 1168 Dgfjbgmh.exe 41 PID 3028 wrote to memory of 2216 3028 Djefobmk.exe 42 PID 3028 wrote to memory of 2216 3028 Djefobmk.exe 42 PID 3028 wrote to memory of 2216 3028 Djefobmk.exe 42 PID 3028 wrote to memory of 2216 3028 Djefobmk.exe 42 PID 2216 wrote to memory of 3036 2216 Emcbkn32.exe 43 PID 2216 wrote to memory of 3036 2216 Emcbkn32.exe 43 PID 2216 wrote to memory of 3036 2216 Emcbkn32.exe 43 PID 2216 wrote to memory of 3036 2216 Emcbkn32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c38058c8f8c26b73af1a1a6f8f99e90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:452 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe33⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe34⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe35⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe36⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe37⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe39⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe40⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe41⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe42⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe44⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe45⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe46⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe47⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Gfefiemq.exeC:\Windows\system32\Gfefiemq.exe49⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe50⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe51⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe52⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe54⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe55⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe56⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gldkfl32.exeC:\Windows\system32\Gldkfl32.exe57⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe58⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe59⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe60⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe61⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe62⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe63⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe64⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe65⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe66⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe67⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe69⤵PID:1912
-
C:\Windows\SysWOW64\Gaemjbcg.exeC:\Windows\system32\Gaemjbcg.exe70⤵PID:1556
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe71⤵PID:1664
-
C:\Windows\SysWOW64\Hgbebiao.exeC:\Windows\system32\Hgbebiao.exe72⤵PID:2468
-
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe73⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe74⤵PID:1656
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe75⤵PID:1512
-
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe76⤵PID:1952
-
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe77⤵PID:1364
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe78⤵PID:2732
-
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe79⤵PID:2356
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe80⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe81⤵PID:2532
-
C:\Windows\SysWOW64\Hejoiedd.exeC:\Windows\system32\Hejoiedd.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2372 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe83⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe84⤵PID:2456
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe85⤵PID:3000
-
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe86⤵PID:1864
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:864 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe89⤵PID:2888
-
C:\Windows\SysWOW64\Hpapln32.exeC:\Windows\system32\Hpapln32.exe90⤵PID:640
-
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe91⤵PID:1948
-
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe92⤵PID:2836
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe93⤵PID:3020
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe94⤵PID:3064
-
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe95⤵PID:2892
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe96⤵PID:1668
-
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe97⤵PID:2564
-
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe99⤵PID:2392
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe101⤵PID:1408
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe102⤵PID:2924
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe104⤵PID:2696
-
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe105⤵
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe106⤵PID:2552
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe108⤵PID:1216
-
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe109⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe110⤵PID:2556
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe111⤵
- Drops file in System32 directory
PID:312 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe112⤵PID:2748
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe113⤵PID:2488
-
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe114⤵PID:2900
-
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe115⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe117⤵PID:1184
-
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe118⤵PID:2744
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe119⤵PID:2184
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe120⤵PID:2668
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe121⤵PID:2496
-
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe122⤵PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-