Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 18:23
Behavioral task
behavioral1
Sample
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
3824a1dfae19f072d2f1afe014bd6cf0
-
SHA1
a286b1753a480274e3d3701e96fb023528315f00
-
SHA256
c96be5b9b71c1d1ae6b11e043ab1f1faa62369cd968c92ef4031284a770c0be2
-
SHA512
c4a002e134deeb83a5ad5085ff20a54ee98ac76e1470c39dece52652d272c802039960f5ff3703b1a3950a54c2de2ae6041cfa429f476d9ae7914d2f53b53f79
-
SSDEEP
12288:Q7lztzhEv7Fv4pnsKvNA+XTvZHWuEo3oW2to:QRBzhEFgpsKv2EvZHp3oW2to
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnlqnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oionacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flehkhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpgpkcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhnhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnqanhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pikkiijf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdjeoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epoqde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnojacgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgmgmfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coacbfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmdjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjngmmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapfagno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkmkacq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbcpmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknajh32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000014454-5.dat family_berbew behavioral1/files/0x0007000000014aa2-18.dat family_berbew behavioral1/files/0x0007000000014b63-32.dat family_berbew behavioral1/files/0x003700000001471d-46.dat family_berbew behavioral1/files/0x0007000000015ce1-60.dat family_berbew behavioral1/memory/2728-67-0x0000000000440000-0x000000000047C000-memory.dmp family_berbew behavioral1/files/0x0006000000015d07-81.dat family_berbew behavioral1/files/0x0006000000015d4a-89.dat family_berbew behavioral1/files/0x0006000000015d5e-103.dat family_berbew behavioral1/files/0x0006000000015d6f-122.dat family_berbew behavioral1/files/0x0006000000015d87-149.dat family_berbew behavioral1/files/0x0006000000015d9b-159.dat family_berbew behavioral1/files/0x0006000000015eaf-181.dat family_berbew behavioral1/files/0x0006000000015fe9-188.dat family_berbew behavioral1/memory/2948-190-0x0000000000250000-0x000000000028C000-memory.dmp family_berbew behavioral1/files/0x00060000000161e7-203.dat family_berbew behavioral1/files/0x00060000000164b2-216.dat family_berbew behavioral1/files/0x000600000001661c-240.dat family_berbew behavioral1/files/0x0006000000016a9a-249.dat family_berbew behavioral1/files/0x0006000000016c63-261.dat family_berbew behavioral1/files/0x0006000000016cb7-270.dat family_berbew behavioral1/files/0x0006000000016d0d-279.dat family_berbew behavioral1/files/0x0006000000016d26-291.dat family_berbew behavioral1/memory/1804-293-0x00000000002D0000-0x000000000030C000-memory.dmp family_berbew behavioral1/files/0x0006000000016d7e-301.dat family_berbew behavioral1/files/0x0006000000016da7-314.dat family_berbew behavioral1/files/0x0006000000016dbf-321.dat family_berbew behavioral1/files/0x0006000000016eb2-334.dat family_berbew behavioral1/files/0x00060000000173d5-342.dat family_berbew behavioral1/files/0x00060000000173e0-355.dat family_berbew behavioral1/files/0x000600000001745e-366.dat family_berbew behavioral1/memory/2148-382-0x0000000000440000-0x000000000047C000-memory.dmp family_berbew behavioral1/files/0x000600000001749c-379.dat family_berbew behavioral1/files/0x000900000001864e-389.dat family_berbew behavioral1/files/0x000500000001866d-401.dat family_berbew behavioral1/files/0x0006000000018c0a-410.dat family_berbew behavioral1/files/0x0006000000018f3a-421.dat family_berbew behavioral1/files/0x00060000000190b6-430.dat family_berbew behavioral1/files/0x00050000000191cd-441.dat family_berbew behavioral1/files/0x0005000000019215-453.dat family_berbew behavioral1/files/0x000500000001923d-465.dat family_berbew behavioral1/files/0x000500000001924a-473.dat family_berbew behavioral1/files/0x0005000000019270-487.dat family_berbew behavioral1/files/0x000500000001933a-495.dat family_berbew behavioral1/files/0x000500000001935d-509.dat family_berbew behavioral1/files/0x0005000000019389-516.dat family_berbew behavioral1/files/0x000500000001940a-528.dat family_berbew behavioral1/files/0x0005000000019426-537.dat family_berbew behavioral1/files/0x000500000001943c-550.dat family_berbew behavioral1/files/0x000500000001944f-558.dat family_berbew behavioral1/files/0x000500000001945a-569.dat family_berbew behavioral1/files/0x00050000000194b4-578.dat family_berbew behavioral1/files/0x00050000000194e9-590.dat family_berbew behavioral1/files/0x0005000000019616-599.dat family_berbew behavioral1/files/0x000500000001961f-611.dat family_berbew behavioral1/files/0x0005000000019798-619.dat family_berbew behavioral1/files/0x0005000000019ae3-632.dat family_berbew behavioral1/files/0x0005000000019c41-640.dat family_berbew behavioral1/files/0x0005000000019c5c-650.dat family_berbew behavioral1/files/0x0005000000019d61-659.dat family_berbew behavioral1/files/0x0005000000019f43-670.dat family_berbew behavioral1/files/0x000500000001a049-680.dat family_berbew behavioral1/files/0x000500000001a2d6-694.dat family_berbew behavioral1/files/0x000500000001a40d-705.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 792 Cpjiajeb.exe 2584 Dhjgal32.exe 2600 Dnlidb32.exe 2728 Ecmkghcl.exe 2440 Egamfkdh.exe 2124 Eajaoq32.exe 2948 Fddmgjpo.exe 1120 Gpmjak32.exe 1276 Hmlnoc32.exe 2792 Hdhbam32.exe 2496 Idfbkq32.exe 1240 Ikbgmj32.exe 1804 Jokcgmee.exe 2212 Kkgmgmfd.exe 1272 Kpkofpgq.exe 1812 Kjcpii32.exe 2392 Lollckbk.exe 1264 Lajhofao.exe 1792 Mgljbm32.exe 1044 Mijfnh32.exe 832 Mlkopcge.exe 2180 Mcegmm32.exe 2148 Nhdlkdkg.exe 872 Ncjqhmkm.exe 1636 Nkgbbo32.exe 1852 Npdjje32.exe 2640 Nceclqan.exe 2120 Ogblbo32.exe 3056 Olpdjf32.exe 2452 Oclilp32.exe 1948 Obafnlpn.exe 2172 Oikojfgk.exe 1248 Pnjdhmdo.exe 2816 Pedleg32.exe 1620 Pnlqnl32.exe 2704 Pgeefbhm.exe 2836 Pggbla32.exe 1896 Pjenhm32.exe 2204 Pikkiijf.exe 2348 Qpecfc32.exe 2056 Qpgpkcpp.exe 2168 Qcbllb32.exe 1092 Abhimnma.exe 904 Aibajhdn.exe 2200 Ahgnke32.exe 1028 Ajejgp32.exe 2068 Ajhgmpfg.exe 1256 Aemkjiem.exe 2064 Aadloj32.exe 684 Bhndldcn.exe 2084 Bfcampgf.exe 1556 Bmmiij32.exe 2356 Bmpfojmp.exe 2072 Bpnbkeld.exe 2636 Bppoqeja.exe 2872 Baakhm32.exe 2744 Blgpef32.exe 1452 Cklmgb32.exe 3020 Chpmpg32.exe 2844 Chbjffad.exe 2696 Cpnojioo.exe 2684 Cclkfdnc.exe 2932 Dgjclbdi.exe 1252 Dfmdho32.exe -
Loads dropped DLL 64 IoCs
pid Process 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 792 Cpjiajeb.exe 792 Cpjiajeb.exe 2584 Dhjgal32.exe 2584 Dhjgal32.exe 2600 Dnlidb32.exe 2600 Dnlidb32.exe 2728 Ecmkghcl.exe 2728 Ecmkghcl.exe 2440 Egamfkdh.exe 2440 Egamfkdh.exe 2124 Eajaoq32.exe 2124 Eajaoq32.exe 2948 Fddmgjpo.exe 2948 Fddmgjpo.exe 1120 Gpmjak32.exe 1120 Gpmjak32.exe 1276 Hmlnoc32.exe 1276 Hmlnoc32.exe 2792 Hdhbam32.exe 2792 Hdhbam32.exe 2496 Idfbkq32.exe 2496 Idfbkq32.exe 1240 Ikbgmj32.exe 1240 Ikbgmj32.exe 1804 Jokcgmee.exe 1804 Jokcgmee.exe 2212 Kkgmgmfd.exe 2212 Kkgmgmfd.exe 1272 Kpkofpgq.exe 1272 Kpkofpgq.exe 1812 Kjcpii32.exe 1812 Kjcpii32.exe 2392 Lollckbk.exe 2392 Lollckbk.exe 1264 Lajhofao.exe 1264 Lajhofao.exe 1792 Mgljbm32.exe 1792 Mgljbm32.exe 1044 Mijfnh32.exe 1044 Mijfnh32.exe 832 Mlkopcge.exe 832 Mlkopcge.exe 2180 Mcegmm32.exe 2180 Mcegmm32.exe 2148 Nhdlkdkg.exe 2148 Nhdlkdkg.exe 872 Ncjqhmkm.exe 872 Ncjqhmkm.exe 1636 Nkgbbo32.exe 1636 Nkgbbo32.exe 1852 Npdjje32.exe 1852 Npdjje32.exe 2640 Nceclqan.exe 2640 Nceclqan.exe 2120 Ogblbo32.exe 2120 Ogblbo32.exe 3056 Olpdjf32.exe 3056 Olpdjf32.exe 2452 Oclilp32.exe 2452 Oclilp32.exe 1948 Obafnlpn.exe 1948 Obafnlpn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afbqkf32.dll Lcfbdd32.exe File created C:\Windows\SysWOW64\Plgifc32.dll Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Ekhkjm32.exe Eapfagno.exe File created C:\Windows\SysWOW64\Ffeganon.dll Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Onpjghhn.exe Ocfigjlp.exe File created C:\Windows\SysWOW64\Npgbpebh.dll Oekhacbn.exe File created C:\Windows\SysWOW64\Qfmafg32.exe Pnalad32.exe File created C:\Windows\SysWOW64\Mjddiflm.dll Gildahhp.exe File opened for modification C:\Windows\SysWOW64\Ifdjeoep.exe Ipjahd32.exe File created C:\Windows\SysWOW64\Cfpecqda.dll Meoell32.exe File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Olbfagca.exe File created C:\Windows\SysWOW64\Pmagdbci.exe Pmojocel.exe File created C:\Windows\SysWOW64\Bpokhmqh.dll Nlbgikia.exe File created C:\Windows\SysWOW64\Ibcidp32.dll Kqqboncb.exe File created C:\Windows\SysWOW64\Leblqb32.dll Pgfjhcge.exe File opened for modification C:\Windows\SysWOW64\Mlkopcge.exe Mijfnh32.exe File created C:\Windows\SysWOW64\Pgmkloid.dll Npdjje32.exe File opened for modification C:\Windows\SysWOW64\Jhdlad32.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Loefnpnn.exe Llgjaeoj.exe File created C:\Windows\SysWOW64\Ikbgmj32.exe Idfbkq32.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Amfognic.exe File created C:\Windows\SysWOW64\Iiecgjba.exe Ioooiack.exe File created C:\Windows\SysWOW64\Jmgnph32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kcamjb32.exe File created C:\Windows\SysWOW64\Oidglb32.exe Ocjophem.exe File opened for modification C:\Windows\SysWOW64\Keednado.exe Knklagmb.exe File created C:\Windows\SysWOW64\Oopfakpa.exe Onpjghhn.exe File created C:\Windows\SysWOW64\Kgfkgo32.dll Edfbaabj.exe File created C:\Windows\SysWOW64\Plolgk32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Ccbphk32.exe File opened for modification C:\Windows\SysWOW64\Bejfao32.exe Bckjhl32.exe File created C:\Windows\SysWOW64\Fhqbkhch.exe Febfomdd.exe File created C:\Windows\SysWOW64\Pafbadcm.exe Padeldeo.exe File created C:\Windows\SysWOW64\Jbcjnnpl.exe Jbqmhnbo.exe File opened for modification C:\Windows\SysWOW64\Ekelld32.exe Ehgppi32.exe File opened for modification C:\Windows\SysWOW64\Nekbmgcn.exe Npojdpef.exe File created C:\Windows\SysWOW64\Ncfefh32.dll Ndhlhg32.exe File created C:\Windows\SysWOW64\Geemiobo.dll Dhdcji32.exe File created C:\Windows\SysWOW64\Gdfjcc32.dll Iheddndj.exe File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe Ecmkghcl.exe File opened for modification C:\Windows\SysWOW64\Cnfqccna.exe Coacbfii.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Eemngplg.dll Obgkpb32.exe File created C:\Windows\SysWOW64\Kmimme32.dll Fcbecl32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Anahqh32.exe Aidphq32.exe File created C:\Windows\SysWOW64\Genddmep.dll Oonldcih.exe File created C:\Windows\SysWOW64\Lpeqncja.dll Hqfaldbo.exe File created C:\Windows\SysWOW64\Qbgpffch.dll Cclkfdnc.exe File created C:\Windows\SysWOW64\Gpgpdf32.dll Jlklnjoh.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qgmdjp32.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Bammlq32.exe File created C:\Windows\SysWOW64\Epecke32.dll Jmbiipml.exe File opened for modification C:\Windows\SysWOW64\Cjakccop.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Ncpcfkbg.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Fdilpjih.dll Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Gbcfadgl.exe Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bejfao32.exe File created C:\Windows\SysWOW64\Egoife32.exe Emieil32.exe File created C:\Windows\SysWOW64\Mhjbjopf.exe Mapjmehi.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Lddlkg32.exe Lohccp32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Diidjpbe.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Diidjpbe.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2068 3052 WerFault.exe 575 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phpjnnki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkcgmo.dll" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hegnahjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggiigmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikejl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngnjmjh.dll" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opakbgif.dll" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmaomdn.dll" Omefkplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmqbj32.dll" Npolmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llohjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qackpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljiqocb.dll" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chqoipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chappo32.dll" Dhbhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejecol32.dll" Hlccdboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikefkcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdejhfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll" Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chkmkacq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnmcb32.dll" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mdghaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpecqda.dll" Meoell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blgpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjkpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciqcmiei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1628 wrote to memory of 792 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 28 PID 1628 wrote to memory of 792 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 28 PID 1628 wrote to memory of 792 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 28 PID 1628 wrote to memory of 792 1628 3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe 28 PID 792 wrote to memory of 2584 792 Cpjiajeb.exe 29 PID 792 wrote to memory of 2584 792 Cpjiajeb.exe 29 PID 792 wrote to memory of 2584 792 Cpjiajeb.exe 29 PID 792 wrote to memory of 2584 792 Cpjiajeb.exe 29 PID 2584 wrote to memory of 2600 2584 Dhjgal32.exe 30 PID 2584 wrote to memory of 2600 2584 Dhjgal32.exe 30 PID 2584 wrote to memory of 2600 2584 Dhjgal32.exe 30 PID 2584 wrote to memory of 2600 2584 Dhjgal32.exe 30 PID 2600 wrote to memory of 2728 2600 Dnlidb32.exe 31 PID 2600 wrote to memory of 2728 2600 Dnlidb32.exe 31 PID 2600 wrote to memory of 2728 2600 Dnlidb32.exe 31 PID 2600 wrote to memory of 2728 2600 Dnlidb32.exe 31 PID 2728 wrote to memory of 2440 2728 Ecmkghcl.exe 32 PID 2728 wrote to memory of 2440 2728 Ecmkghcl.exe 32 PID 2728 wrote to memory of 2440 2728 Ecmkghcl.exe 32 PID 2728 wrote to memory of 2440 2728 Ecmkghcl.exe 32 PID 2440 wrote to memory of 2124 2440 Egamfkdh.exe 33 PID 2440 wrote to memory of 2124 2440 Egamfkdh.exe 33 PID 2440 wrote to memory of 2124 2440 Egamfkdh.exe 33 PID 2440 wrote to memory of 2124 2440 Egamfkdh.exe 33 PID 2124 wrote to memory of 2948 2124 Eajaoq32.exe 34 PID 2124 wrote to memory of 2948 2124 Eajaoq32.exe 34 PID 2124 wrote to memory of 2948 2124 Eajaoq32.exe 34 PID 2124 wrote to memory of 2948 2124 Eajaoq32.exe 34 PID 2948 wrote to memory of 1120 2948 Fddmgjpo.exe 35 PID 2948 wrote to memory of 1120 2948 Fddmgjpo.exe 35 PID 2948 wrote to memory of 1120 2948 Fddmgjpo.exe 35 PID 2948 wrote to memory of 1120 2948 Fddmgjpo.exe 35 PID 1120 wrote to memory of 1276 1120 Gpmjak32.exe 36 PID 1120 wrote to memory of 1276 1120 Gpmjak32.exe 36 PID 1120 wrote to memory of 1276 1120 Gpmjak32.exe 36 PID 1120 wrote to memory of 1276 1120 Gpmjak32.exe 36 PID 1276 wrote to memory of 2792 1276 Hmlnoc32.exe 37 PID 1276 wrote to memory of 2792 1276 Hmlnoc32.exe 37 PID 1276 wrote to memory of 2792 1276 Hmlnoc32.exe 37 PID 1276 wrote to memory of 2792 1276 Hmlnoc32.exe 37 PID 2792 wrote to memory of 2496 2792 Hdhbam32.exe 38 PID 2792 wrote to memory of 2496 2792 Hdhbam32.exe 38 PID 2792 wrote to memory of 2496 2792 Hdhbam32.exe 38 PID 2792 wrote to memory of 2496 2792 Hdhbam32.exe 38 PID 2496 wrote to memory of 1240 2496 Idfbkq32.exe 39 PID 2496 wrote to memory of 1240 2496 Idfbkq32.exe 39 PID 2496 wrote to memory of 1240 2496 Idfbkq32.exe 39 PID 2496 wrote to memory of 1240 2496 Idfbkq32.exe 39 PID 1240 wrote to memory of 1804 1240 Ikbgmj32.exe 40 PID 1240 wrote to memory of 1804 1240 Ikbgmj32.exe 40 PID 1240 wrote to memory of 1804 1240 Ikbgmj32.exe 40 PID 1240 wrote to memory of 1804 1240 Ikbgmj32.exe 40 PID 1804 wrote to memory of 2212 1804 Jokcgmee.exe 41 PID 1804 wrote to memory of 2212 1804 Jokcgmee.exe 41 PID 1804 wrote to memory of 2212 1804 Jokcgmee.exe 41 PID 1804 wrote to memory of 2212 1804 Jokcgmee.exe 41 PID 2212 wrote to memory of 1272 2212 Kkgmgmfd.exe 42 PID 2212 wrote to memory of 1272 2212 Kkgmgmfd.exe 42 PID 2212 wrote to memory of 1272 2212 Kkgmgmfd.exe 42 PID 2212 wrote to memory of 1272 2212 Kkgmgmfd.exe 42 PID 1272 wrote to memory of 1812 1272 Kpkofpgq.exe 43 PID 1272 wrote to memory of 1812 1272 Kpkofpgq.exe 43 PID 1272 wrote to memory of 1812 1272 Kpkofpgq.exe 43 PID 1272 wrote to memory of 1812 1272 Kpkofpgq.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3824a1dfae19f072d2f1afe014bd6cf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ikbgmj32.exeC:\Windows\system32\Ikbgmj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe33⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe35⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe37⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe39⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe41⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe44⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe45⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe46⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe47⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe49⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe50⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe51⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe52⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe53⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe54⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe55⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe59⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe60⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe62⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe64⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe65⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Djklnnaj.exeC:\Windows\system32\Djklnnaj.exe66⤵PID:856
-
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe67⤵PID:2008
-
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe68⤵PID:488
-
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe70⤵PID:2112
-
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe71⤵PID:2244
-
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe72⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe73⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe74⤵PID:1036
-
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe76⤵
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe77⤵PID:2300
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe78⤵
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe79⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe80⤵PID:2444
-
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe81⤵PID:2556
-
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe83⤵PID:1520
-
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe85⤵PID:2808
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe86⤵PID:2540
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe87⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe88⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe90⤵PID:2884
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe91⤵PID:2916
-
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe92⤵PID:688
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe93⤵PID:2156
-
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe94⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe96⤵PID:2184
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe97⤵PID:2104
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe98⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe99⤵PID:2632
-
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe100⤵PID:1724
-
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe103⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe105⤵PID:2528
-
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe106⤵PID:1288
-
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe107⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe108⤵PID:1776
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe109⤵PID:324
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe110⤵PID:1640
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe111⤵PID:2080
-
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe112⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe113⤵PID:1404
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe114⤵PID:312
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe115⤵PID:624
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe116⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe117⤵PID:2460
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe118⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe119⤵PID:2468
-
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe120⤵PID:380
-
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe121⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-