Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 00:56
Behavioral task
behavioral1
Sample
53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe
-
Size
305KB
-
MD5
53f6fbfb6637065817d179b3e54aae50
-
SHA1
949ac3fbe9f9b6f81d5c5c6c44b6fa778f8ddd9e
-
SHA256
e75a066c704f38d1e32cd660fcf2283f4ae304a6a160d5c66b456c1a1c71f846
-
SHA512
ab3b895f0907e88d22e802cbc445eb2b114f44db415b9c00c6cbb86dfe89e531f51704b7ab6b667308b8ad8f76acb1e3cd14ce360e8d773b75b140bfa1b8f12c
-
SSDEEP
6144:Xdt+Sw0XTbnNxunXe8yhrtMsQBvli+RQFdq:Xdt+Sw0jLvAO8qRMsrOQF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ookmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iggkllpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idcokkak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oobjaqaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbjopoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqpgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gepehphc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpkjko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ganpomec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfqjbli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gonnhhln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Habfipdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blkioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enfenplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llfifq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjlnif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjbdb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000012334-5.dat family_berbew behavioral1/files/0x0008000000014971-18.dat family_berbew behavioral1/files/0x0007000000014b63-33.dat family_berbew behavioral1/files/0x0009000000014e51-46.dat family_berbew behavioral1/files/0x0006000000015ceb-60.dat family_berbew behavioral1/files/0x0006000000015d28-74.dat family_berbew behavioral1/files/0x0006000000015d56-88.dat family_berbew behavioral1/files/0x0006000000015d67-101.dat family_berbew behavioral1/files/0x002f000000014708-115.dat family_berbew behavioral1/files/0x0006000000015d87-129.dat family_berbew behavioral1/files/0x0006000000015d9b-143.dat family_berbew behavioral1/files/0x0006000000015eaf-156.dat family_berbew behavioral1/files/0x0006000000015fe9-170.dat family_berbew behavioral1/files/0x00060000000161e7-183.dat family_berbew behavioral1/files/0x00060000000164b2-197.dat family_berbew behavioral1/files/0x000600000001661c-212.dat family_berbew behavioral1/files/0x0006000000016a9a-229.dat family_berbew behavioral1/files/0x0006000000016c63-236.dat family_berbew behavioral1/memory/1684-240-0x0000000000250000-0x0000000000293000-memory.dmp family_berbew behavioral1/files/0x0006000000016cb7-247.dat family_berbew behavioral1/files/0x0006000000016d0d-258.dat family_berbew behavioral1/memory/2068-261-0x0000000000290000-0x00000000002D3000-memory.dmp family_berbew behavioral1/files/0x0006000000016d26-271.dat family_berbew behavioral1/memory/1352-272-0x0000000000450000-0x0000000000493000-memory.dmp family_berbew behavioral1/files/0x0006000000016d7e-281.dat family_berbew behavioral1/files/0x0006000000016da7-291.dat family_berbew behavioral1/files/0x0006000000016dbf-302.dat family_berbew behavioral1/files/0x0006000000016eb2-313.dat family_berbew behavioral1/files/0x00060000000173d5-324.dat family_berbew behavioral1/files/0x00060000000173e0-335.dat family_berbew behavioral1/files/0x000600000001745e-346.dat family_berbew behavioral1/files/0x000600000001749c-359.dat family_berbew behavioral1/files/0x000900000001864e-368.dat family_berbew behavioral1/files/0x000500000001866d-379.dat family_berbew behavioral1/files/0x0006000000018c0a-390.dat family_berbew behavioral1/files/0x0006000000018f3a-400.dat family_berbew behavioral1/files/0x00060000000190b6-411.dat family_berbew behavioral1/files/0x00050000000191cd-422.dat family_berbew behavioral1/files/0x0005000000019215-433.dat family_berbew behavioral1/files/0x000500000001923d-444.dat family_berbew behavioral1/files/0x000500000001924a-455.dat family_berbew behavioral1/files/0x0005000000019270-466.dat family_berbew behavioral1/files/0x000500000001933a-477.dat family_berbew behavioral1/files/0x000500000001935d-489.dat family_berbew behavioral1/files/0x0005000000019389-499.dat family_berbew behavioral1/files/0x000500000001940a-512.dat family_berbew behavioral1/files/0x0005000000019426-520.dat family_berbew behavioral1/files/0x000500000001943c-531.dat family_berbew behavioral1/files/0x000500000001944f-543.dat family_berbew behavioral1/files/0x000500000001945a-554.dat family_berbew behavioral1/files/0x00050000000194b4-566.dat family_berbew behavioral1/files/0x00050000000194e9-577.dat family_berbew behavioral1/files/0x0005000000019616-586.dat family_berbew behavioral1/files/0x000500000001961f-594.dat family_berbew behavioral1/files/0x0005000000019798-607.dat family_berbew behavioral1/files/0x0005000000019ae3-615.dat family_berbew behavioral1/files/0x0005000000019c5c-629.dat family_berbew behavioral1/files/0x0005000000019d61-638.dat family_berbew behavioral1/files/0x0005000000019f43-649.dat family_berbew behavioral1/files/0x000500000001a049-658.dat family_berbew behavioral1/files/0x000500000001a2d6-669.dat family_berbew behavioral1/files/0x000500000001a40d-678.dat family_berbew behavioral1/files/0x000500000001a417-694.dat family_berbew behavioral1/files/0x000500000001a419-702.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1640 Bhahlj32.exe 3004 Bloqah32.exe 2636 Bnbjopoi.exe 2484 Bnefdp32.exe 2624 Cljcelan.exe 2500 Cllpkl32.exe 2876 Comimg32.exe 1520 Claifkkf.exe 624 Chhjkl32.exe 1060 Dkhcmgnl.exe 2012 Ddcdkl32.exe 1336 Dchali32.exe 2320 Dgfjbgmh.exe 1296 Eflgccbp.exe 2548 Eeqdep32.exe 1040 Eiomkn32.exe 1684 Eiaiqn32.exe 2376 Ebinic32.exe 2068 Fjdbnf32.exe 1352 Faokjpfd.exe 2896 Fpdhklkl.exe 916 Fmhheqje.exe 1700 Fioija32.exe 2856 Flmefm32.exe 1240 Ffbicfoc.exe 2268 Gonnhhln.exe 2212 Gbijhg32.exe 2544 Gbkgnfbd.exe 2724 Gaqcoc32.exe 2608 Gelppaof.exe 2664 Ghmiam32.exe 2480 Gkkemh32.exe 2872 Hiqbndpb.exe 2192 Hpkjko32.exe 1200 Hdhbam32.exe 1656 Hggomh32.exe 2256 Hellne32.exe 908 Hhjhkq32.exe 1332 Ieqeidnl.exe 2396 Ilknfn32.exe 1256 Inljnfkg.exe 1948 Igdogl32.exe 1052 Inngcfid.exe 816 Ihdkao32.exe 644 Iggkllpe.exe 3028 Ijeghgoh.exe 968 Igihbknb.exe 312 Imfqjbli.exe 2508 Igkdgk32.exe 800 Jnemdecl.exe 872 Jofiln32.exe 1596 Jjlnif32.exe 2832 Jjojofgn.exe 2600 Jokcgmee.exe 2652 Jcgogk32.exe 2712 Jehkodcm.exe 2220 Jmocpado.exe 1880 Jkbcln32.exe 2240 Jbllihbf.exe 2540 Jkdpanhg.exe 1900 Jbnhng32.exe 2960 Kemejc32.exe 636 Kjjmbj32.exe 2428 Kbqecg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 1640 Bhahlj32.exe 1640 Bhahlj32.exe 3004 Bloqah32.exe 3004 Bloqah32.exe 2636 Bnbjopoi.exe 2636 Bnbjopoi.exe 2484 Bnefdp32.exe 2484 Bnefdp32.exe 2624 Cljcelan.exe 2624 Cljcelan.exe 2500 Cllpkl32.exe 2500 Cllpkl32.exe 2876 Comimg32.exe 2876 Comimg32.exe 1520 Claifkkf.exe 1520 Claifkkf.exe 624 Chhjkl32.exe 624 Chhjkl32.exe 1060 Dkhcmgnl.exe 1060 Dkhcmgnl.exe 2012 Ddcdkl32.exe 2012 Ddcdkl32.exe 1336 Dchali32.exe 1336 Dchali32.exe 2320 Dgfjbgmh.exe 2320 Dgfjbgmh.exe 1296 Eflgccbp.exe 1296 Eflgccbp.exe 2548 Eeqdep32.exe 2548 Eeqdep32.exe 1040 Eiomkn32.exe 1040 Eiomkn32.exe 1684 Eiaiqn32.exe 1684 Eiaiqn32.exe 2376 Ebinic32.exe 2376 Ebinic32.exe 2068 Fjdbnf32.exe 2068 Fjdbnf32.exe 1352 Faokjpfd.exe 1352 Faokjpfd.exe 2896 Fpdhklkl.exe 2896 Fpdhklkl.exe 916 Fmhheqje.exe 916 Fmhheqje.exe 1700 Fioija32.exe 1700 Fioija32.exe 2856 Flmefm32.exe 2856 Flmefm32.exe 1240 Ffbicfoc.exe 1240 Ffbicfoc.exe 2268 Gonnhhln.exe 2268 Gonnhhln.exe 2212 Gbijhg32.exe 2212 Gbijhg32.exe 2544 Gbkgnfbd.exe 2544 Gbkgnfbd.exe 2724 Gaqcoc32.exe 2724 Gaqcoc32.exe 2608 Gelppaof.exe 2608 Gelppaof.exe 2664 Ghmiam32.exe 2664 Ghmiam32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmgbdo32.exe Kjifhc32.exe File opened for modification C:\Windows\SysWOW64\Lmgocb32.exe Ljibgg32.exe File opened for modification C:\Windows\SysWOW64\Jnemdecl.exe Igkdgk32.exe File created C:\Windows\SysWOW64\Jofiln32.exe Jnemdecl.exe File created C:\Windows\SysWOW64\Kfbkmk32.exe Kcdnao32.exe File created C:\Windows\SysWOW64\Qmbbdq32.dll Fepiimfg.exe File created C:\Windows\SysWOW64\Hoikeh32.dll Gpcmpijk.exe File created C:\Windows\SysWOW64\Gfobbc32.exe Gpejeihi.exe File created C:\Windows\SysWOW64\Bjdplm32.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Omabcb32.dll Gkkemh32.exe File created C:\Windows\SysWOW64\Bidjnkdg.exe Bfenbpec.exe File created C:\Windows\SysWOW64\Cfgnhbba.dll Cklmgb32.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ikfmfi32.exe File opened for modification C:\Windows\SysWOW64\Ljffag32.exe Lclnemgd.exe File opened for modification C:\Windows\SysWOW64\Lbiqfied.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Okgnab32.exe Ojfaijcc.exe File opened for modification C:\Windows\SysWOW64\Hhjapjmi.exe Hapicp32.exe File created C:\Windows\SysWOW64\Napoohch.dll Amnfnfgg.exe File opened for modification C:\Windows\SysWOW64\Bmclhi32.exe Bjdplm32.exe File opened for modification C:\Windows\SysWOW64\Lhpfqama.exe Logbhl32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Baakhm32.exe File created C:\Windows\SysWOW64\Bfqgjgep.dll Aigchgkh.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Cdbdjhmp.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Nncahjgl.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Onjgiiad.exe File opened for modification C:\Windows\SysWOW64\Oclilp32.exe Ohfeog32.exe File created C:\Windows\SysWOW64\Oobjaqaj.exe Okgnab32.exe File created C:\Windows\SysWOW64\Piphee32.exe Pedleg32.exe File created C:\Windows\SysWOW64\Ckjpacfp.exe Blgpef32.exe File created C:\Windows\SysWOW64\Fnkjhb32.exe Fhqbkhch.exe File created C:\Windows\SysWOW64\Idgjaf32.dll Gbomfe32.exe File opened for modification C:\Windows\SysWOW64\Jnpinc32.exe Jfiale32.exe File opened for modification C:\Windows\SysWOW64\Ngibaj32.exe Npojdpef.exe File created C:\Windows\SysWOW64\Agdjkogm.exe Amnfnfgg.exe File created C:\Windows\SysWOW64\Agfgqo32.exe Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Aigchgkh.exe Agfgqo32.exe File created C:\Windows\SysWOW64\Flmefm32.exe Fioija32.exe File opened for modification C:\Windows\SysWOW64\Igihbknb.exe Ijeghgoh.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Gmdadnkh.exe Gbomfe32.exe File created C:\Windows\SysWOW64\Ilncom32.exe Igakgfpn.exe File created C:\Windows\SysWOW64\Jkoplhip.exe Jchhkjhn.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Ghcoqh32.exe File created C:\Windows\SysWOW64\Bpmiamoh.dll Knklagmb.exe File created C:\Windows\SysWOW64\Oecbjjic.dll Ffbicfoc.exe File created C:\Windows\SysWOW64\Iknqdmpf.dll Inngcfid.exe File opened for modification C:\Windows\SysWOW64\Jokcgmee.exe Jkpgfn32.exe File opened for modification C:\Windows\SysWOW64\Kbdklf32.exe Kmgbdo32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Libicbma.exe File created C:\Windows\SysWOW64\Bilmcf32.exe Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Jjlnif32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Jejinjob.dll Piphee32.exe File created C:\Windows\SysWOW64\Fmbhok32.exe Fekpnn32.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Mponel32.exe File created C:\Windows\SysWOW64\Gjlegpjp.dll Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Fcefji32.exe Fnhnbb32.exe File created C:\Windows\SysWOW64\Pefgcifd.dll Fnkjhb32.exe File created C:\Windows\SysWOW64\Jnbfqn32.dll Ikfmfi32.exe File created C:\Windows\SysWOW64\Kjfjbdle.exe Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Lapnnafn.exe Ljffag32.exe File created C:\Windows\SysWOW64\Emnndlod.exe Egafleqm.exe File created C:\Windows\SysWOW64\Bqjfjb32.dll Olonpp32.exe File created C:\Windows\SysWOW64\Bbmfll32.dll Llnofpcg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5116 4156 WerFault.exe 426 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Mgqcmlgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feocmm32.dll" Jjojofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcgogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbjhf32.dll" Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlphhec.dll" Moiklogi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inlepd32.dll" Ojahnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gonnhhln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Mggpgmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eqpgol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mofglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmefakc.dll" Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Okgnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcebp32.dll" Igkdgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oonafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebpkk32.dll" Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nncahjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhiffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbnlj32.dll" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcinege.dll" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" Agfgqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihjnom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghmiam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igdogl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nefpnhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpgljfbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapiomln.dll" Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjcpii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bfenbpec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiqpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Amnfnfgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1640 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1640 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1640 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 28 PID 1688 wrote to memory of 1640 1688 53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe 28 PID 1640 wrote to memory of 3004 1640 Bhahlj32.exe 29 PID 1640 wrote to memory of 3004 1640 Bhahlj32.exe 29 PID 1640 wrote to memory of 3004 1640 Bhahlj32.exe 29 PID 1640 wrote to memory of 3004 1640 Bhahlj32.exe 29 PID 3004 wrote to memory of 2636 3004 Bloqah32.exe 30 PID 3004 wrote to memory of 2636 3004 Bloqah32.exe 30 PID 3004 wrote to memory of 2636 3004 Bloqah32.exe 30 PID 3004 wrote to memory of 2636 3004 Bloqah32.exe 30 PID 2636 wrote to memory of 2484 2636 Bnbjopoi.exe 31 PID 2636 wrote to memory of 2484 2636 Bnbjopoi.exe 31 PID 2636 wrote to memory of 2484 2636 Bnbjopoi.exe 31 PID 2636 wrote to memory of 2484 2636 Bnbjopoi.exe 31 PID 2484 wrote to memory of 2624 2484 Bnefdp32.exe 32 PID 2484 wrote to memory of 2624 2484 Bnefdp32.exe 32 PID 2484 wrote to memory of 2624 2484 Bnefdp32.exe 32 PID 2484 wrote to memory of 2624 2484 Bnefdp32.exe 32 PID 2624 wrote to memory of 2500 2624 Cljcelan.exe 33 PID 2624 wrote to memory of 2500 2624 Cljcelan.exe 33 PID 2624 wrote to memory of 2500 2624 Cljcelan.exe 33 PID 2624 wrote to memory of 2500 2624 Cljcelan.exe 33 PID 2500 wrote to memory of 2876 2500 Cllpkl32.exe 34 PID 2500 wrote to memory of 2876 2500 Cllpkl32.exe 34 PID 2500 wrote to memory of 2876 2500 Cllpkl32.exe 34 PID 2500 wrote to memory of 2876 2500 Cllpkl32.exe 34 PID 2876 wrote to memory of 1520 2876 Comimg32.exe 35 PID 2876 wrote to memory of 1520 2876 Comimg32.exe 35 PID 2876 wrote to memory of 1520 2876 Comimg32.exe 35 PID 2876 wrote to memory of 1520 2876 Comimg32.exe 35 PID 1520 wrote to memory of 624 1520 Claifkkf.exe 36 PID 1520 wrote to memory of 624 1520 Claifkkf.exe 36 PID 1520 wrote to memory of 624 1520 Claifkkf.exe 36 PID 1520 wrote to memory of 624 1520 Claifkkf.exe 36 PID 624 wrote to memory of 1060 624 Chhjkl32.exe 37 PID 624 wrote to memory of 1060 624 Chhjkl32.exe 37 PID 624 wrote to memory of 1060 624 Chhjkl32.exe 37 PID 624 wrote to memory of 1060 624 Chhjkl32.exe 37 PID 1060 wrote to memory of 2012 1060 Dkhcmgnl.exe 38 PID 1060 wrote to memory of 2012 1060 Dkhcmgnl.exe 38 PID 1060 wrote to memory of 2012 1060 Dkhcmgnl.exe 38 PID 1060 wrote to memory of 2012 1060 Dkhcmgnl.exe 38 PID 2012 wrote to memory of 1336 2012 Ddcdkl32.exe 39 PID 2012 wrote to memory of 1336 2012 Ddcdkl32.exe 39 PID 2012 wrote to memory of 1336 2012 Ddcdkl32.exe 39 PID 2012 wrote to memory of 1336 2012 Ddcdkl32.exe 39 PID 1336 wrote to memory of 2320 1336 Dchali32.exe 40 PID 1336 wrote to memory of 2320 1336 Dchali32.exe 40 PID 1336 wrote to memory of 2320 1336 Dchali32.exe 40 PID 1336 wrote to memory of 2320 1336 Dchali32.exe 40 PID 2320 wrote to memory of 1296 2320 Dgfjbgmh.exe 41 PID 2320 wrote to memory of 1296 2320 Dgfjbgmh.exe 41 PID 2320 wrote to memory of 1296 2320 Dgfjbgmh.exe 41 PID 2320 wrote to memory of 1296 2320 Dgfjbgmh.exe 41 PID 1296 wrote to memory of 2548 1296 Eflgccbp.exe 42 PID 1296 wrote to memory of 2548 1296 Eflgccbp.exe 42 PID 1296 wrote to memory of 2548 1296 Eflgccbp.exe 42 PID 1296 wrote to memory of 2548 1296 Eflgccbp.exe 42 PID 2548 wrote to memory of 1040 2548 Eeqdep32.exe 43 PID 2548 wrote to memory of 1040 2548 Eeqdep32.exe 43 PID 2548 wrote to memory of 1040 2548 Eeqdep32.exe 43 PID 2548 wrote to memory of 1040 2548 Eeqdep32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\53f6fbfb6637065817d179b3e54aae50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Comimg32.exeC:\Windows\system32\Comimg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Claifkkf.exeC:\Windows\system32\Claifkkf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe34⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe36⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe37⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hellne32.exeC:\Windows\system32\Hellne32.exe38⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe39⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe40⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe42⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe45⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe48⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Imfqjbli.exeC:\Windows\system32\Imfqjbli.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe55⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jmocpado.exeC:\Windows\system32\Jmocpado.exe59⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe60⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe62⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe63⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe64⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe65⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe66⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kaceodek.exeC:\Windows\system32\Kaceodek.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe68⤵PID:1740
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe69⤵PID:1896
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe70⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1316 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe72⤵PID:1800
-
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe73⤵PID:2380
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe75⤵PID:1696
-
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe76⤵PID:2792
-
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe77⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe78⤵PID:2572
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe80⤵PID:1056
-
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe81⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe82⤵PID:892
-
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe83⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe84⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe85⤵PID:1628
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe86⤵PID:452
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe87⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe88⤵PID:348
-
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe89⤵PID:1732
-
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe90⤵PID:2368
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe91⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe93⤵PID:2756
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe94⤵PID:2684
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe95⤵PID:2880
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe96⤵PID:2520
-
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe97⤵PID:1512
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe98⤵PID:1408
-
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe99⤵PID:2224
-
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe100⤵PID:2804
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe101⤵PID:324
-
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe102⤵PID:1792
-
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe104⤵
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe105⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Mlmlecec.exeC:\Windows\system32\Mlmlecec.exe106⤵PID:2992
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe107⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe108⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe109⤵PID:2720
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe110⤵PID:2620
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe111⤵PID:2516
-
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe112⤵PID:2340
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe113⤵PID:2284
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe115⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe116⤵PID:1652
-
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe117⤵PID:3012
-
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe118⤵PID:2032
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe119⤵PID:320
-
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-