Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 22:00
Behavioral task
behavioral1
Sample
40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe
-
Size
844KB
-
MD5
40aa049b1be8f9824f4411367a6b9ff0
-
SHA1
695e92e56ed592891e1bbec2e47a1154a5d13938
-
SHA256
e7c3e57ef144e9098b657bfaaaf668fb996688e78a250ab945a440bdf4b8859d
-
SHA512
731ce01e37d3d2faa94c9784559d193719b3cbcd180a37129fb07fbec18575843f7d0d57d65219eac6e122028010d4e835c0711a7838caaf0b0495fb1503445c
-
SSDEEP
24576:AzqH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:uqH5W3TbQihw+cdX2x46uhqllMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okanklik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpcbqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhqfbebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lahkigca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onhgbmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppjglfon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofecpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oomhcbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqlafm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqecg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehmdhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nejiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkkmqnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bioqclil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Menakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihoafpmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlhneio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfkke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afcenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkccpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pndniaop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidjnkdg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000013417-5.dat family_berbew behavioral1/files/0x0007000000014183-24.dat family_berbew behavioral1/files/0x0007000000014251-33.dat family_berbew behavioral1/files/0x000800000001432f-49.dat family_berbew behavioral1/files/0x0006000000014a60-68.dat family_berbew behavioral1/files/0x0006000000014bd7-83.dat family_berbew behavioral1/files/0x0006000000014f57-95.dat family_berbew behavioral1/files/0x0006000000015083-103.dat family_berbew behavioral1/files/0x00060000000153ee-116.dat family_berbew behavioral1/files/0x000600000001565a-130.dat family_berbew behavioral1/files/0x00060000000158d9-145.dat family_berbew behavioral1/files/0x0006000000015b50-164.dat family_berbew behavioral1/files/0x0006000000015c9a-181.dat family_berbew behavioral1/files/0x0006000000015cb1-195.dat family_berbew behavioral1/files/0x0006000000015cee-215.dat family_berbew behavioral1/files/0x0006000000015d39-240.dat family_berbew behavioral1/files/0x0006000000015d0a-232.dat family_berbew behavioral1/memory/1652-281-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000016c30-328.dat family_berbew behavioral1/files/0x0006000000016cf3-361.dat family_berbew behavioral1/files/0x000600000001745d-471.dat family_berbew behavioral1/files/0x000600000001748d-484.dat family_berbew behavioral1/files/0x000600000001864a-493.dat family_berbew behavioral1/files/0x00060000000190b3-517.dat family_berbew behavioral1/files/0x00050000000191fd-537.dat family_berbew behavioral1/files/0x0005000000019251-561.dat family_berbew behavioral1/files/0x0005000000019367-580.dat family_berbew behavioral1/files/0x00050000000193b1-602.dat family_berbew behavioral1/files/0x0005000000019602-669.dat family_berbew behavioral1/files/0x0005000000019608-690.dat family_berbew behavioral1/files/0x000500000001960c-702.dat family_berbew behavioral1/files/0x00050000000196a4-723.dat family_berbew behavioral1/files/0x0005000000019c49-758.dat family_berbew behavioral1/files/0x0005000000019d3a-769.dat family_berbew behavioral1/files/0x0005000000019faf-792.dat family_berbew behavioral1/files/0x000500000001a423-830.dat family_berbew behavioral1/files/0x000500000001a4a2-894.dat family_berbew behavioral1/files/0x000500000001a4ce-993.dat family_berbew behavioral1/files/0x000500000001a4e3-1058.dat family_berbew behavioral1/files/0x000500000001a4e7-1069.dat family_berbew behavioral1/files/0x000500000001a5a8-1137.dat family_berbew behavioral1/files/0x000500000001c705-1171.dat family_berbew behavioral1/files/0x000500000001c74a-1184.dat family_berbew behavioral1/files/0x000500000001c837-1226.dat family_berbew behavioral1/files/0x000500000001c84a-1272.dat family_berbew behavioral1/files/0x000500000001c846-1260.dat family_berbew behavioral1/files/0x000500000001c85b-1307.dat family_berbew behavioral1/files/0x000500000001c86a-1327.dat family_berbew behavioral1/files/0x000500000001c87d-1341.dat family_berbew behavioral1/files/0x000500000001c890-1351.dat family_berbew behavioral1/files/0x000500000001c899-1375.dat family_berbew behavioral1/files/0x000500000001c8a2-1400.dat family_berbew behavioral1/files/0x000500000001c8a8-1413.dat family_berbew behavioral1/files/0x000500000001c8b2-1438.dat family_berbew behavioral1/files/0x000500000001c8b6-1453.dat family_berbew behavioral1/files/0x000500000001c8be-1479.dat family_berbew behavioral1/files/0x000400000001c9ed-1494.dat family_berbew behavioral1/files/0x000400000001cad7-1517.dat family_berbew behavioral1/files/0x000400000001cb30-1529.dat family_berbew behavioral1/files/0x000400000001cb36-1540.dat family_berbew behavioral1/files/0x000400000001cb5a-1565.dat family_berbew behavioral1/files/0x000400000001cb94-1605.dat family_berbew behavioral1/files/0x000400000001cbcd-1637.dat family_berbew behavioral1/files/0x000400000001cbd2-1645.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2760 Infdolgh.exe 2204 Jnhqdkde.exe 2556 Jagmpg32.exe 2524 Jedefejo.exe 2424 Jgcabqic.exe 2888 Kbalnnam.exe 2004 Kjhdokbo.exe 2680 Kmgpkfab.exe 1560 Kmimafop.exe 2024 Khekgc32.exe 2312 Klqfhbbe.exe 1572 Kanopipl.exe 2192 Laplei32.exe 1060 Lkhpnnej.exe 1088 Lpgele32.exe 1800 Lbfahp32.exe 112 Lpjbad32.exe 1912 Lchnnp32.exe 1608 Mcodno32.exe 1652 Menakj32.exe 852 Mhlmgf32.exe 2292 Mkjica32.exe 1984 Mofecpnl.exe 1212 Mdcnlglc.exe 1988 Mhnjle32.exe 1636 Mohbip32.exe 2572 Mdejaf32.exe 2720 Mhqfbebj.exe 2324 Mkobnqan.exe 2724 Nnnojlpa.exe 2732 Nplkfgoe.exe 2400 Nlblkhei.exe 2672 Nghphaeo.exe 2144 Nnbhek32.exe 1544 Nleiqhcg.exe 1932 Ncoamb32.exe 1260 Njiijlbp.exe 2252 Nbdnoo32.exe 1940 Njkfpl32.exe 1992 Nkmbgdfl.exe 1028 Nccjhafn.exe 1864 Odegpj32.exe 1780 Okoomd32.exe 1288 Oojknblb.exe 1884 Obigjnkf.exe 2812 Ofdcjm32.exe 2368 Odgcfijj.exe 2284 Ogfpbeim.exe 2636 Oomhcbjp.exe 1712 Onphoo32.exe 2456 Oqndkj32.exe 1916 Odjpkihg.exe 1524 Oghlgdgk.exe 1584 Onbddoog.exe 2372 Obnqem32.exe 2700 Ocomlemo.exe 2452 Ogjimd32.exe 2084 Ojieip32.exe 676 Ondajnme.exe 2844 Oqcnfjli.exe 1244 Ogmfbd32.exe 1592 Pminkk32.exe 844 Pphjgfqq.exe 2112 Pgobhcac.exe -
Loads dropped DLL 64 IoCs
pid Process 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 2760 Infdolgh.exe 2760 Infdolgh.exe 2204 Jnhqdkde.exe 2204 Jnhqdkde.exe 2556 Jagmpg32.exe 2556 Jagmpg32.exe 2524 Jedefejo.exe 2524 Jedefejo.exe 2424 Jgcabqic.exe 2424 Jgcabqic.exe 2888 Kbalnnam.exe 2888 Kbalnnam.exe 2004 Kjhdokbo.exe 2004 Kjhdokbo.exe 2680 Kmgpkfab.exe 2680 Kmgpkfab.exe 1560 Kmimafop.exe 1560 Kmimafop.exe 2024 Khekgc32.exe 2024 Khekgc32.exe 2312 Klqfhbbe.exe 2312 Klqfhbbe.exe 1572 Kanopipl.exe 1572 Kanopipl.exe 2192 Laplei32.exe 2192 Laplei32.exe 1060 Lkhpnnej.exe 1060 Lkhpnnej.exe 1088 Lpgele32.exe 1088 Lpgele32.exe 1800 Lbfahp32.exe 1800 Lbfahp32.exe 112 Lpjbad32.exe 112 Lpjbad32.exe 1912 Lchnnp32.exe 1912 Lchnnp32.exe 1608 Mcodno32.exe 1608 Mcodno32.exe 1652 Menakj32.exe 1652 Menakj32.exe 852 Mhlmgf32.exe 852 Mhlmgf32.exe 2292 Mkjica32.exe 2292 Mkjica32.exe 1984 Mofecpnl.exe 1984 Mofecpnl.exe 1212 Mdcnlglc.exe 1212 Mdcnlglc.exe 1988 Mhnjle32.exe 1988 Mhnjle32.exe 1636 Mohbip32.exe 1636 Mohbip32.exe 2572 Mdejaf32.exe 2572 Mdejaf32.exe 2720 Mhqfbebj.exe 2720 Mhqfbebj.exe 2324 Mkobnqan.exe 2324 Mkobnqan.exe 2724 Nnnojlpa.exe 2724 Nnnojlpa.exe 2732 Nplkfgoe.exe 2732 Nplkfgoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnnajckm.dll Ogmfbd32.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Onjgiiad.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Indgjihl.dll Jmplcp32.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kbdklf32.exe File created C:\Windows\SysWOW64\Bdkgocpm.exe Behgcf32.exe File created C:\Windows\SysWOW64\Alqkcl32.dll Nghphaeo.exe File opened for modification C:\Windows\SysWOW64\Kkolkk32.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Afkbib32.exe Admemg32.exe File created C:\Windows\SysWOW64\Mbpnanch.exe Mdmmfa32.exe File created C:\Windows\SysWOW64\Jejinjob.dll Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe Mlaeonld.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Ppjglfon.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File created C:\Windows\SysWOW64\Khdlmj32.dll Ikfmfi32.exe File opened for modification C:\Windows\SysWOW64\Cnippoha.exe Cfbhnaho.exe File opened for modification C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File opened for modification C:\Windows\SysWOW64\Pfdabino.exe Pokieo32.exe File created C:\Windows\SysWOW64\Qlhnbf32.exe Pijbfj32.exe File created C:\Windows\SysWOW64\Cinika32.dll Qagcpljo.exe File created C:\Windows\SysWOW64\Adnopfoj.exe Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Dkcofe32.exe Dggcffhg.exe File created C:\Windows\SysWOW64\Amfidj32.dll Egllae32.exe File created C:\Windows\SysWOW64\Hkeapk32.dll Kpjhkjde.exe File opened for modification C:\Windows\SysWOW64\Oomhcbjp.exe Ogfpbeim.exe File created C:\Windows\SysWOW64\Ngpolo32.exe Nceclqan.exe File opened for modification C:\Windows\SysWOW64\Jqnejn32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Nodmbemj.dll Blmfea32.exe File created C:\Windows\SysWOW64\Gangic32.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File created C:\Windows\SysWOW64\Gcopbn32.dll Lapnnafn.exe File opened for modification C:\Windows\SysWOW64\Onecbg32.exe Okfgfl32.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Njkfpl32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Ecmkghcl.exe File created C:\Windows\SysWOW64\Ldahol32.dll Gangic32.exe File created C:\Windows\SysWOW64\Glqllcbf.dll Hlfdkoin.exe File created C:\Windows\SysWOW64\Mdmmfa32.exe Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Onjgiiad.exe Ngpolo32.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pjenhm32.exe File created C:\Windows\SysWOW64\Fpqdkf32.exe Flehkhai.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Mieeibkn.exe Mooaljkh.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Bokphdld.exe File created C:\Windows\SysWOW64\Mcblodlj.dll Jjbpgd32.exe File created C:\Windows\SysWOW64\Kklpekno.exe Kincipnk.exe File opened for modification C:\Windows\SysWOW64\Bmhideol.exe Afnagk32.exe File created C:\Windows\SysWOW64\Pfiidobe.exe Pbmmcq32.exe File created C:\Windows\SysWOW64\Apimacnn.exe Amkpegnj.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Ghhofmql.exe File opened for modification C:\Windows\SysWOW64\Gifhnpea.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Pndaof32.dll Plfamfpm.exe File created C:\Windows\SysWOW64\Adhlaggp.exe Aplpai32.exe File created C:\Windows\SysWOW64\Ndkakief.dll Efncicpm.exe File created C:\Windows\SysWOW64\Fjhlioai.dll Bidjnkdg.exe File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe Mieeibkn.exe File created C:\Windows\SysWOW64\Mlfojn32.exe Mhjbjopf.exe File created C:\Windows\SysWOW64\Bhfcpb32.exe Bdkgocpm.exe File opened for modification C:\Windows\SysWOW64\Nleiqhcg.exe Nnbhek32.exe File opened for modification C:\Windows\SysWOW64\Ljibgg32.exe Lfmffhde.exe File created C:\Windows\SysWOW64\Ikhkppkn.dll Odlojanh.exe File opened for modification C:\Windows\SysWOW64\Jnqphi32.exe Jonplmcb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7472 7416 WerFault.exe 816 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphhoacd.dll" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll" Fejgko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpdcnhnl.dll" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll" Pfikmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oancnfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnhqdkde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lahkigca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoopae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklmionp.dll" 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpfkqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adpkee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll" Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnelgk32.dll" Ojieip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhklfnh.dll" Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmlko32.dll" Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbkba32.dll" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhmjkaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhnffp.dll" Ffhpbacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oobjaqaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll" Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacnpbdl.dll" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afldcl32.dll" Kgkafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmabnaj.dll" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmihgeia.dll" Nnnojlpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afdlhchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" Eecqjpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgcfijj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebedndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgggfhdc.dll" Oobjaqaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2760 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2760 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2760 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 28 PID 2064 wrote to memory of 2760 2064 40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe 28 PID 2760 wrote to memory of 2204 2760 Infdolgh.exe 29 PID 2760 wrote to memory of 2204 2760 Infdolgh.exe 29 PID 2760 wrote to memory of 2204 2760 Infdolgh.exe 29 PID 2760 wrote to memory of 2204 2760 Infdolgh.exe 29 PID 2204 wrote to memory of 2556 2204 Jnhqdkde.exe 30 PID 2204 wrote to memory of 2556 2204 Jnhqdkde.exe 30 PID 2204 wrote to memory of 2556 2204 Jnhqdkde.exe 30 PID 2204 wrote to memory of 2556 2204 Jnhqdkde.exe 30 PID 2556 wrote to memory of 2524 2556 Jagmpg32.exe 31 PID 2556 wrote to memory of 2524 2556 Jagmpg32.exe 31 PID 2556 wrote to memory of 2524 2556 Jagmpg32.exe 31 PID 2556 wrote to memory of 2524 2556 Jagmpg32.exe 31 PID 2524 wrote to memory of 2424 2524 Jedefejo.exe 32 PID 2524 wrote to memory of 2424 2524 Jedefejo.exe 32 PID 2524 wrote to memory of 2424 2524 Jedefejo.exe 32 PID 2524 wrote to memory of 2424 2524 Jedefejo.exe 32 PID 2424 wrote to memory of 2888 2424 Jgcabqic.exe 33 PID 2424 wrote to memory of 2888 2424 Jgcabqic.exe 33 PID 2424 wrote to memory of 2888 2424 Jgcabqic.exe 33 PID 2424 wrote to memory of 2888 2424 Jgcabqic.exe 33 PID 2888 wrote to memory of 2004 2888 Kbalnnam.exe 34 PID 2888 wrote to memory of 2004 2888 Kbalnnam.exe 34 PID 2888 wrote to memory of 2004 2888 Kbalnnam.exe 34 PID 2888 wrote to memory of 2004 2888 Kbalnnam.exe 34 PID 2004 wrote to memory of 2680 2004 Kjhdokbo.exe 35 PID 2004 wrote to memory of 2680 2004 Kjhdokbo.exe 35 PID 2004 wrote to memory of 2680 2004 Kjhdokbo.exe 35 PID 2004 wrote to memory of 2680 2004 Kjhdokbo.exe 35 PID 2680 wrote to memory of 1560 2680 Kmgpkfab.exe 36 PID 2680 wrote to memory of 1560 2680 Kmgpkfab.exe 36 PID 2680 wrote to memory of 1560 2680 Kmgpkfab.exe 36 PID 2680 wrote to memory of 1560 2680 Kmgpkfab.exe 36 PID 1560 wrote to memory of 2024 1560 Kmimafop.exe 37 PID 1560 wrote to memory of 2024 1560 Kmimafop.exe 37 PID 1560 wrote to memory of 2024 1560 Kmimafop.exe 37 PID 1560 wrote to memory of 2024 1560 Kmimafop.exe 37 PID 2024 wrote to memory of 2312 2024 Khekgc32.exe 38 PID 2024 wrote to memory of 2312 2024 Khekgc32.exe 38 PID 2024 wrote to memory of 2312 2024 Khekgc32.exe 38 PID 2024 wrote to memory of 2312 2024 Khekgc32.exe 38 PID 2312 wrote to memory of 1572 2312 Klqfhbbe.exe 39 PID 2312 wrote to memory of 1572 2312 Klqfhbbe.exe 39 PID 2312 wrote to memory of 1572 2312 Klqfhbbe.exe 39 PID 2312 wrote to memory of 1572 2312 Klqfhbbe.exe 39 PID 1572 wrote to memory of 2192 1572 Kanopipl.exe 40 PID 1572 wrote to memory of 2192 1572 Kanopipl.exe 40 PID 1572 wrote to memory of 2192 1572 Kanopipl.exe 40 PID 1572 wrote to memory of 2192 1572 Kanopipl.exe 40 PID 2192 wrote to memory of 1060 2192 Laplei32.exe 41 PID 2192 wrote to memory of 1060 2192 Laplei32.exe 41 PID 2192 wrote to memory of 1060 2192 Laplei32.exe 41 PID 2192 wrote to memory of 1060 2192 Laplei32.exe 41 PID 1060 wrote to memory of 1088 1060 Lkhpnnej.exe 42 PID 1060 wrote to memory of 1088 1060 Lkhpnnej.exe 42 PID 1060 wrote to memory of 1088 1060 Lkhpnnej.exe 42 PID 1060 wrote to memory of 1088 1060 Lkhpnnej.exe 42 PID 1088 wrote to memory of 1800 1088 Lpgele32.exe 43 PID 1088 wrote to memory of 1800 1088 Lpgele32.exe 43 PID 1088 wrote to memory of 1800 1088 Lpgele32.exe 43 PID 1088 wrote to memory of 1800 1088 Lpgele32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\40aa049b1be8f9824f4411367a6b9ff0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Jagmpg32.exeC:\Windows\system32\Jagmpg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe33⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe36⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe37⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe38⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe39⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe42⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe43⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe44⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe45⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe46⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe47⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe51⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe53⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe54⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe55⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe57⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe58⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe61⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe63⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe64⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe65⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe66⤵PID:1844
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe69⤵PID:1508
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe70⤵PID:2536
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe71⤵PID:3028
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe72⤵PID:2080
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe73⤵PID:2132
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe74⤵PID:2028
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe75⤵PID:1012
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe76⤵PID:2684
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe77⤵PID:1852
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe78⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe79⤵PID:816
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe80⤵PID:964
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe81⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe83⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe84⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe85⤵PID:1640
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe86⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe87⤵PID:2552
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe88⤵PID:1704
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe89⤵PID:2872
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe90⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe91⤵PID:2344
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe92⤵
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe93⤵PID:3000
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe94⤵PID:540
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe95⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe96⤵PID:1792
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe97⤵PID:2412
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe98⤵PID:2756
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe99⤵PID:2404
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe100⤵PID:324
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe101⤵PID:912
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe102⤵
- Drops file in System32 directory
PID:296 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe103⤵PID:2152
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe104⤵PID:2108
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe107⤵PID:2808
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe108⤵PID:1968
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe109⤵
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe110⤵PID:2856
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe111⤵PID:2936
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe112⤵PID:1876
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe113⤵PID:1568
-
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe114⤵PID:2836
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe115⤵PID:1948
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe116⤵PID:2268
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe117⤵PID:2644
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe119⤵PID:2444
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe120⤵PID:1428
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe121⤵
- Modifies registry class
PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-