Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 18:17
Behavioral task
behavioral1
Sample
3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe
-
Size
768KB
-
MD5
3efa9fdbac1987b00a40a8b4837eb1d0
-
SHA1
f798d7edcc27feb2fc2361375c52e832e58a25d4
-
SHA256
0b15d6ac32667d42b575c1203c124f8788e70e40322c47c2e46d1bb3d1195612
-
SHA512
2ca0a74270f0c3a19cf842136d10ff65c906077121e640968e311a06ea25776f109bf2240665664a8d09900a1a189adb91009e33c5d87bcfee957d3ee4de9492
-
SSDEEP
12288:oSvE6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZX:Wq5h3q5htaSHFaZRBEYyqmaf2qwiHPKu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfpik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cppkph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djpmccqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchali32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeimhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgioaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aniimjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkmpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lollckbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqcpob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aigchgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpcmpijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdkli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldlqakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdkal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joplbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febfomdd.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a000000012286-11.dat family_berbew behavioral1/files/0x000800000001489f-26.dat family_berbew behavioral1/files/0x0007000000014b5c-33.dat family_berbew behavioral1/files/0x0009000000015065-52.dat family_berbew behavioral1/files/0x0007000000015d3b-59.dat family_berbew behavioral1/files/0x0006000000015d73-72.dat family_berbew behavioral1/files/0x000a000000014723-85.dat family_berbew behavioral1/files/0x0006000000015d90-106.dat family_berbew behavioral1/files/0x0006000000015dca-119.dat family_berbew behavioral1/files/0x000600000001611e-137.dat family_berbew behavioral1/files/0x0006000000016581-169.dat family_berbew behavioral1/files/0x00060000000173ca-323.dat family_berbew behavioral1/files/0x00050000000193ff-442.dat family_berbew behavioral1/memory/2960-437-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x00050000000193d9-431.dat family_berbew behavioral1/memory/2652-424-0x0000000000440000-0x0000000000473000-memory.dmp family_berbew behavioral1/files/0x0005000000019314-421.dat family_berbew behavioral1/files/0x0006000000018bed-410.dat family_berbew behavioral1/files/0x0006000000018b86-399.dat family_berbew behavioral1/memory/2720-395-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x000500000001879e-389.dat family_berbew behavioral1/memory/2720-388-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0005000000018784-377.dat family_berbew behavioral1/memory/2996-373-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/2996-372-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x000500000001871f-366.dat family_berbew behavioral1/files/0x000500000001870e-356.dat family_berbew behavioral1/files/0x0014000000018668-345.dat family_berbew behavioral1/files/0x00060000000173f9-334.dat family_berbew behavioral1/files/0x00060000000171d7-312.dat family_berbew behavioral1/memory/2392-308-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/2392-307-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0006000000016ddc-301.dat family_berbew behavioral1/files/0x0006000000016dc8-291.dat family_berbew behavioral1/files/0x0006000000016d9f-281.dat family_berbew behavioral1/memory/2052-277-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/memory/2052-276-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0006000000016d6f-270.dat family_berbew behavioral1/files/0x0006000000016d64-259.dat family_berbew behavioral1/files/0x0006000000016d4b-249.dat family_berbew behavioral1/files/0x0006000000016d3b-239.dat family_berbew behavioral1/memory/584-238-0x0000000001F50000-0x0000000001F83000-memory.dmp family_berbew behavioral1/files/0x0006000000016d2a-227.dat family_berbew behavioral1/memory/2376-224-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x0006000000016ceb-217.dat family_berbew behavioral1/files/0x0006000000016c78-210.dat family_berbew behavioral1/files/0x0006000000016c52-196.dat family_berbew behavioral1/files/0x0006000000016835-183.dat family_berbew behavioral1/files/0x00060000000162e4-157.dat family_berbew behavioral1/files/0x0006000000015f73-132.dat family_berbew behavioral1/files/0x000500000001942b-453.dat family_berbew behavioral1/files/0x0005000000019470-463.dat family_berbew behavioral1/memory/2972-467-0x00000000002E0000-0x0000000000313000-memory.dmp family_berbew behavioral1/files/0x00050000000194b3-477.dat family_berbew behavioral1/memory/980-485-0x0000000000250000-0x0000000000283000-memory.dmp family_berbew behavioral1/files/0x000500000001952d-486.dat family_berbew behavioral1/files/0x0005000000019627-496.dat family_berbew behavioral1/files/0x000500000001962b-506.dat family_berbew behavioral1/files/0x000500000001962f-519.dat family_berbew behavioral1/files/0x0005000000019635-528.dat family_berbew behavioral1/files/0x000500000001963b-540.dat family_berbew behavioral1/files/0x000500000001963f-551.dat family_berbew behavioral1/files/0x0005000000019641-561.dat family_berbew behavioral1/files/0x0005000000019643-572.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2420 Aepojo32.exe 2212 Bhahlj32.exe 2100 Bhfagipa.exe 2656 Bgknheej.exe 2668 Cdakgibq.exe 2552 Cfeddafl.exe 2780 Copfbfjj.exe 3032 Cdlnkmha.exe 812 Ckffgg32.exe 1988 Cndbcc32.exe 1720 Dflkdp32.exe 800 Dhjgal32.exe 1564 Dkhcmgnl.exe 2940 Dbbkja32.exe 2308 Dqelenlc.exe 2376 Dgodbh32.exe 1164 Djnpnc32.exe 584 Dbehoa32.exe 1784 Ddcdkl32.exe 2892 Dkmmhf32.exe 2052 Djpmccqq.exe 1356 Dqjepm32.exe 1616 Dchali32.exe 2392 Dfgmhd32.exe 2144 Dqlafm32.exe 604 Dgfjbgmh.exe 1040 Djefobmk.exe 2456 Emcbkn32.exe 2132 Epaogi32.exe 2996 Ejgcdb32.exe 2976 Eijcpoac.exe 2720 Epdkli32.exe 2640 Efncicpm.exe 2632 Eilpeooq.exe 2652 Ekklaj32.exe 2960 Enihne32.exe 2004 Efppoc32.exe 1644 Egamfkdh.exe 2972 Epieghdk.exe 1260 Iajcde32.exe 980 Iqopea32.exe 2612 Igihbknb.exe 2496 Iqalka32.exe 1920 Jjjacf32.exe 940 Jjlnif32.exe 1500 Joifam32.exe 1056 Jkpgfn32.exe 2936 Jcgogk32.exe 3060 Jkbcln32.exe 2708 Jonplmcb.exe 2764 Jgidao32.exe 344 Joplbl32.exe 1756 Jbnhng32.exe 1984 Kihqkagp.exe 1080 Kaceodek.exe 1596 Kcbakpdo.exe 2600 Kmjfdejp.exe 1624 Kgpjanje.exe 2300 Kjnfniii.exe 2084 Kmmcjehm.exe 2748 Kfegbj32.exe 1680 Kaklpcoc.exe 3048 Kcihlong.exe 1192 Kifpdelo.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 2420 Aepojo32.exe 2420 Aepojo32.exe 2212 Bhahlj32.exe 2212 Bhahlj32.exe 2100 Bhfagipa.exe 2100 Bhfagipa.exe 2656 Bgknheej.exe 2656 Bgknheej.exe 2668 Cdakgibq.exe 2668 Cdakgibq.exe 2552 Cfeddafl.exe 2552 Cfeddafl.exe 2780 Copfbfjj.exe 2780 Copfbfjj.exe 3032 Cdlnkmha.exe 3032 Cdlnkmha.exe 812 Ckffgg32.exe 812 Ckffgg32.exe 1988 Cndbcc32.exe 1988 Cndbcc32.exe 1720 Dflkdp32.exe 1720 Dflkdp32.exe 800 Dhjgal32.exe 800 Dhjgal32.exe 1564 Dkhcmgnl.exe 1564 Dkhcmgnl.exe 2940 Dbbkja32.exe 2940 Dbbkja32.exe 2308 Dqelenlc.exe 2308 Dqelenlc.exe 2376 Dgodbh32.exe 2376 Dgodbh32.exe 1164 Djnpnc32.exe 1164 Djnpnc32.exe 584 Dbehoa32.exe 584 Dbehoa32.exe 1784 Ddcdkl32.exe 1784 Ddcdkl32.exe 2892 Dkmmhf32.exe 2892 Dkmmhf32.exe 2052 Djpmccqq.exe 2052 Djpmccqq.exe 1356 Dqjepm32.exe 1356 Dqjepm32.exe 1616 Dchali32.exe 1616 Dchali32.exe 2392 Dfgmhd32.exe 2392 Dfgmhd32.exe 2144 Dqlafm32.exe 2144 Dqlafm32.exe 604 Dgfjbgmh.exe 604 Dgfjbgmh.exe 1040 Djefobmk.exe 1040 Djefobmk.exe 2456 Emcbkn32.exe 2456 Emcbkn32.exe 2132 Epaogi32.exe 2132 Epaogi32.exe 2996 Ejgcdb32.exe 2996 Ejgcdb32.exe 2976 Eijcpoac.exe 2976 Eijcpoac.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lbcnhjnj.exe Lijjoe32.exe File opened for modification C:\Windows\SysWOW64\Hkcdafqb.exe Hakphqja.exe File created C:\Windows\SysWOW64\Ollfnfje.dll Jjlnif32.exe File created C:\Windows\SysWOW64\Jfjoqjhi.dll Lbcnhjnj.exe File opened for modification C:\Windows\SysWOW64\Meccii32.exe Mcegmm32.exe File opened for modification C:\Windows\SysWOW64\Mamddf32.exe Mggpgmof.exe File created C:\Windows\SysWOW64\Lmpanl32.dll Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Ejgcdb32.exe Epaogi32.exe File created C:\Windows\SysWOW64\Mnjdbp32.dll Pikkiijf.exe File created C:\Windows\SysWOW64\Bmpfojmp.exe Bbjbaa32.exe File opened for modification C:\Windows\SysWOW64\Cgejac32.exe Cnmehnan.exe File opened for modification C:\Windows\SysWOW64\Jnmlhchd.exe Jkoplhip.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Ngibaj32.exe File opened for modification C:\Windows\SysWOW64\Namqci32.exe Nondgn32.exe File opened for modification C:\Windows\SysWOW64\Jmplcp32.exe Jnmlhchd.exe File created C:\Windows\SysWOW64\Kicmdo32.exe Kpjhkjde.exe File opened for modification C:\Windows\SysWOW64\Pgbafl32.exe Pmlmic32.exe File opened for modification C:\Windows\SysWOW64\Clilkfnb.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Mpjqiq32.exe Mmldme32.exe File created C:\Windows\SysWOW64\Jgidao32.exe Jonplmcb.exe File created C:\Windows\SysWOW64\Nblnkb32.dll Oclilp32.exe File created C:\Windows\SysWOW64\Blgpef32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Dhhlgc32.dll Edkcojga.exe File created C:\Windows\SysWOW64\Hapicp32.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Kiqpop32.exe Kohkfj32.exe File opened for modification C:\Windows\SysWOW64\Bhahlj32.exe Aepojo32.exe File created C:\Windows\SysWOW64\Lfbpag32.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Pjnamh32.exe Pdaheq32.exe File created C:\Windows\SysWOW64\Abphal32.exe Aigchgkh.exe File created C:\Windows\SysWOW64\Bhdgjb32.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Imehcohk.dll Enfenplo.exe File opened for modification C:\Windows\SysWOW64\Hlljjjnm.exe Gebbnpfp.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Cndbcc32.exe File created C:\Windows\SysWOW64\Lijjoe32.exe Lflmci32.exe File created C:\Windows\SysWOW64\Pfoocjfd.exe Onhgbmfb.exe File created C:\Windows\SysWOW64\Ampehe32.dll Eccmffjf.exe File opened for modification C:\Windows\SysWOW64\Pmagdbci.exe Pcibkm32.exe File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe Clmbddgp.exe File created C:\Windows\SysWOW64\Ihgainbg.exe Ioolqh32.exe File opened for modification C:\Windows\SysWOW64\Djnpnc32.exe Dgodbh32.exe File created C:\Windows\SysWOW64\Mfnekf32.dll Jonplmcb.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Ndkmpe32.exe File created C:\Windows\SysWOW64\Llgodg32.dll Ojcecjee.exe File created C:\Windows\SysWOW64\Jbnhng32.exe Joplbl32.exe File created C:\Windows\SysWOW64\Limilm32.dll Kmmcjehm.exe File created C:\Windows\SysWOW64\Kjfjbdle.exe Jqnejn32.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hkhnle32.exe File opened for modification C:\Windows\SysWOW64\Iedkbc32.exe Illgimph.exe File created C:\Windows\SysWOW64\Llcohjcg.dll Mlfojn32.exe File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe Nodgel32.exe File created C:\Windows\SysWOW64\Dbbkja32.exe Dkhcmgnl.exe File opened for modification C:\Windows\SysWOW64\Pclfkc32.exe Pamiog32.exe File opened for modification C:\Windows\SysWOW64\Anccmo32.exe Adnopfoj.exe File opened for modification C:\Windows\SysWOW64\Labkdack.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Afgkfl32.exe Aajbne32.exe File created C:\Windows\SysWOW64\Jjlnif32.exe Jjjacf32.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lbcnhjnj.exe File opened for modification C:\Windows\SysWOW64\Oddpfc32.exe Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Ojcecjee.exe Oonafa32.exe File created C:\Windows\SysWOW64\Ddpkof32.dll Piphee32.exe File opened for modification C:\Windows\SysWOW64\Ipjoplgo.exe Iedkbc32.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jkjfah32.exe File created C:\Windows\SysWOW64\Kfommp32.dll Pamiog32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 3960 WerFault.exe 352 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccmffjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgodg32.dll" Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piccpc32.dll" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfgbn32.dll" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgidao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnjef32.dll" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmagdbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmagdbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joifam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pclfkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhbnkpn.dll" Fljafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmeimhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balkchpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekkcljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emnndlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll" Cgcmlcja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffhpbacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naimccpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anccmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnekf32.dll" Jonplmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illgimph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Mgalqkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajbne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goipbehm.dll" Iqalka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbaebdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkemkhcd.dll" Pgbhabjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbcln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgidao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocnbmoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efppoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmcgmjk.dll" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgioaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbdha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiqpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll" Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjnamh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqelenlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2420 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2420 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2420 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2420 2416 3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2212 2420 Aepojo32.exe 29 PID 2420 wrote to memory of 2212 2420 Aepojo32.exe 29 PID 2420 wrote to memory of 2212 2420 Aepojo32.exe 29 PID 2420 wrote to memory of 2212 2420 Aepojo32.exe 29 PID 2212 wrote to memory of 2100 2212 Bhahlj32.exe 30 PID 2212 wrote to memory of 2100 2212 Bhahlj32.exe 30 PID 2212 wrote to memory of 2100 2212 Bhahlj32.exe 30 PID 2212 wrote to memory of 2100 2212 Bhahlj32.exe 30 PID 2100 wrote to memory of 2656 2100 Bhfagipa.exe 31 PID 2100 wrote to memory of 2656 2100 Bhfagipa.exe 31 PID 2100 wrote to memory of 2656 2100 Bhfagipa.exe 31 PID 2100 wrote to memory of 2656 2100 Bhfagipa.exe 31 PID 2656 wrote to memory of 2668 2656 Bgknheej.exe 32 PID 2656 wrote to memory of 2668 2656 Bgknheej.exe 32 PID 2656 wrote to memory of 2668 2656 Bgknheej.exe 32 PID 2656 wrote to memory of 2668 2656 Bgknheej.exe 32 PID 2668 wrote to memory of 2552 2668 Cdakgibq.exe 33 PID 2668 wrote to memory of 2552 2668 Cdakgibq.exe 33 PID 2668 wrote to memory of 2552 2668 Cdakgibq.exe 33 PID 2668 wrote to memory of 2552 2668 Cdakgibq.exe 33 PID 2552 wrote to memory of 2780 2552 Cfeddafl.exe 34 PID 2552 wrote to memory of 2780 2552 Cfeddafl.exe 34 PID 2552 wrote to memory of 2780 2552 Cfeddafl.exe 34 PID 2552 wrote to memory of 2780 2552 Cfeddafl.exe 34 PID 2780 wrote to memory of 3032 2780 Copfbfjj.exe 35 PID 2780 wrote to memory of 3032 2780 Copfbfjj.exe 35 PID 2780 wrote to memory of 3032 2780 Copfbfjj.exe 35 PID 2780 wrote to memory of 3032 2780 Copfbfjj.exe 35 PID 3032 wrote to memory of 812 3032 Cdlnkmha.exe 36 PID 3032 wrote to memory of 812 3032 Cdlnkmha.exe 36 PID 3032 wrote to memory of 812 3032 Cdlnkmha.exe 36 PID 3032 wrote to memory of 812 3032 Cdlnkmha.exe 36 PID 812 wrote to memory of 1988 812 Ckffgg32.exe 37 PID 812 wrote to memory of 1988 812 Ckffgg32.exe 37 PID 812 wrote to memory of 1988 812 Ckffgg32.exe 37 PID 812 wrote to memory of 1988 812 Ckffgg32.exe 37 PID 1988 wrote to memory of 1720 1988 Cndbcc32.exe 38 PID 1988 wrote to memory of 1720 1988 Cndbcc32.exe 38 PID 1988 wrote to memory of 1720 1988 Cndbcc32.exe 38 PID 1988 wrote to memory of 1720 1988 Cndbcc32.exe 38 PID 1720 wrote to memory of 800 1720 Dflkdp32.exe 39 PID 1720 wrote to memory of 800 1720 Dflkdp32.exe 39 PID 1720 wrote to memory of 800 1720 Dflkdp32.exe 39 PID 1720 wrote to memory of 800 1720 Dflkdp32.exe 39 PID 800 wrote to memory of 1564 800 Dhjgal32.exe 40 PID 800 wrote to memory of 1564 800 Dhjgal32.exe 40 PID 800 wrote to memory of 1564 800 Dhjgal32.exe 40 PID 800 wrote to memory of 1564 800 Dhjgal32.exe 40 PID 1564 wrote to memory of 2940 1564 Dkhcmgnl.exe 41 PID 1564 wrote to memory of 2940 1564 Dkhcmgnl.exe 41 PID 1564 wrote to memory of 2940 1564 Dkhcmgnl.exe 41 PID 1564 wrote to memory of 2940 1564 Dkhcmgnl.exe 41 PID 2940 wrote to memory of 2308 2940 Dbbkja32.exe 42 PID 2940 wrote to memory of 2308 2940 Dbbkja32.exe 42 PID 2940 wrote to memory of 2308 2940 Dbbkja32.exe 42 PID 2940 wrote to memory of 2308 2940 Dbbkja32.exe 42 PID 2308 wrote to memory of 2376 2308 Dqelenlc.exe 43 PID 2308 wrote to memory of 2376 2308 Dqelenlc.exe 43 PID 2308 wrote to memory of 2376 2308 Dqelenlc.exe 43 PID 2308 wrote to memory of 2376 2308 Dqelenlc.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3efa9fdbac1987b00a40a8b4837eb1d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe34⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe35⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe36⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe39⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe40⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe41⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe43⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe48⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe49⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe54⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe55⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe56⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe57⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe59⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kjnfniii.exeC:\Windows\system32\Kjnfniii.exe60⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Kmmcjehm.exeC:\Windows\system32\Kmmcjehm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe62⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe68⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe69⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe70⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe71⤵PID:2424
-
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe72⤵PID:2876
-
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe73⤵PID:2240
-
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe74⤵PID:2700
-
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe76⤵PID:2024
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe77⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe78⤵PID:2112
-
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe79⤵PID:2620
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe80⤵PID:1628
-
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe81⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe82⤵PID:332
-
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe83⤵PID:1484
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe86⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe87⤵PID:1760
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe89⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe90⤵PID:2528
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe91⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe92⤵PID:1808
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe94⤵PID:1668
-
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe96⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe97⤵PID:1584
-
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe98⤵PID:2512
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe99⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe100⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe102⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe103⤵PID:872
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe104⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe106⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe108⤵PID:1996
-
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe109⤵PID:976
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe111⤵PID:2988
-
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe114⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe115⤵PID:268
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe116⤵PID:1068
-
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe117⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe118⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe119⤵PID:1944
-
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe121⤵
- Drops file in System32 directory
PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-