Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 00:07 UTC
Behavioral task
behavioral1
Sample
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe
-
Size
125KB
-
MD5
5d2f65b844213aa26a92e1e498b1e190
-
SHA1
5dc48ed340eaeefacc97fce386cc8d77515e62cf
-
SHA256
98559176c0e611fa4c8b93b134dd97820b29051df567f15805256266814524c2
-
SHA512
b77a6aea7d21bae021d778457b21d7029aa90e0f43b118b61d6a56375a0d8edfd31142786eb73b12ab1f000090fe9df9cc1eb31e2f7e448fa97fe4576a2da2a7
-
SSDEEP
3072:0sX8LIjaC82lBdGKcSZpTt4Haz5cM1WdTCn93OGey/ZhJakrPF:QLnngnHpTt4Haz5cjTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cafpanem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhqaefng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejgdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefemliq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmklen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedihl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epopgbia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhdmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmgdgjek.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beppmmoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidncj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkdnpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammlomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpcgdfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfdbojmq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgdpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kinemkko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kajfig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chbedh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehekqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmcab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdibj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpajh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnhekgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpepcedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphifcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfachc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chphoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goiojk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnaakne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdfofakp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhqaefng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcclf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiikak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icljbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohdebfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmlcmhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemcgmak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffekegon.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/704-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0005000000023284-6.dat family_berbew behavioral2/memory/3820-12-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00070000000233fb-14.dat family_berbew behavioral2/memory/1140-16-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00070000000233fd-22.dat family_berbew behavioral2/memory/1932-28-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00070000000233ff-30.dat family_berbew behavioral2/memory/2416-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023401-38.dat family_berbew behavioral2/memory/3140-39-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023403-46.dat family_berbew behavioral2/memory/3564-48-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023405-54.dat family_berbew behavioral2/memory/2252-55-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023407-62.dat family_berbew behavioral2/memory/1440-64-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023409-70.dat family_berbew behavioral2/memory/3720-71-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002340b-78.dat family_berbew behavioral2/memory/5036-80-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002340d-86.dat family_berbew behavioral2/memory/4944-88-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002340f-94.dat family_berbew behavioral2/memory/2420-96-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023411-102.dat family_berbew behavioral2/memory/2872-104-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023413-110.dat family_berbew behavioral2/memory/1656-112-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023415-118.dat family_berbew behavioral2/memory/2280-120-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023417-126.dat family_berbew behavioral2/memory/3580-128-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023419-134.dat family_berbew behavioral2/memory/1644-136-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002341b-142.dat family_berbew behavioral2/memory/3916-144-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002341d-150.dat family_berbew behavioral2/memory/3336-156-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002341f-158.dat family_berbew behavioral2/memory/3236-160-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023421-166.dat family_berbew behavioral2/memory/908-167-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023423-174.dat family_berbew behavioral2/memory/5080-176-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023425-182.dat family_berbew behavioral2/memory/632-187-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023427-190.dat family_berbew behavioral2/memory/4320-191-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023429-193.dat family_berbew behavioral2/memory/548-200-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x00080000000233f7-202.dat family_berbew behavioral2/memory/3288-208-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002342c-214.dat family_berbew behavioral2/memory/464-216-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x000700000002342e-222.dat family_berbew behavioral2/memory/1184-228-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023430-230.dat family_berbew behavioral2/memory/4776-231-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023432-238.dat family_berbew behavioral2/memory/4312-240-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023434-246.dat family_berbew behavioral2/memory/4924-248-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral2/files/0x0007000000023436-254.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3820 Abedecjb.exe 1140 Aiolam32.exe 1932 Blnhni32.exe 2416 Bbhqjchp.exe 3140 Bhdibj32.exe 3564 Bpladg32.exe 2252 Bammlomg.exe 1440 Bhgehi32.exe 3720 Bpnnig32.exe 5036 Baojaoke.exe 4944 Bifbbllg.exe 2420 Bockjc32.exe 2872 Baaggo32.exe 1656 Bemcgmak.exe 2280 Bpcgdfaa.exe 3580 Boegpc32.exe 1644 Beppmmoi.exe 3916 Chnlihnl.exe 3336 Cohdebfi.exe 3236 Cafpanem.exe 908 Chphoh32.exe 5080 Cojqkbdf.exe 632 Cedihl32.exe 4320 Chbedh32.exe 548 Commqb32.exe 3288 Cefemliq.exe 464 Clqnjf32.exe 1184 Coojfa32.exe 4776 Ccjfgphj.exe 4312 Cidncj32.exe 4924 Coagla32.exe 1156 Cekohk32.exe 1988 Dhjkdg32.exe 4120 Dpacfd32.exe 4300 Dcopbp32.exe 2544 Denlnk32.exe 4816 Dhlhjf32.exe 1136 Dpcpkc32.exe 4184 Dcalgo32.exe 3080 Djlddi32.exe 3952 Dljqpd32.exe 1020 Dohmlp32.exe 3676 Dagiil32.exe 3176 Debeijoc.exe 1716 Dhqaefng.exe 4552 Dphifcoi.exe 2552 Dokjbp32.exe 4124 Dfdbojmq.exe 3232 Dhcnke32.exe 2972 Dchbhn32.exe 712 Efgodj32.exe 4664 Ehekqe32.exe 1364 Epmcab32.exe 2808 Ebnoikqb.exe 3612 Ehhgfdho.exe 1868 Epopgbia.exe 3712 Ecmlcmhe.exe 4076 Ejgdpg32.exe 3308 Eleplc32.exe 3740 Eodlho32.exe 2664 Efneehef.exe 3536 Ehlaaddj.exe 5108 Eqciba32.exe 4712 Ecbenm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dcopbp32.exe Dpacfd32.exe File created C:\Windows\SysWOW64\Bgkkkd32.dll Dpacfd32.exe File created C:\Windows\SysWOW64\Efpajh32.exe Ecbenm32.exe File created C:\Windows\SysWOW64\Ghiqbiae.dll Kdffocib.exe File created C:\Windows\SysWOW64\Mgidml32.exe Mdkhapfj.exe File created C:\Windows\SysWOW64\Npckna32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Qdqjmdmd.dll Abedecjb.exe File created C:\Windows\SysWOW64\Bpcgdfaa.exe Bemcgmak.exe File created C:\Windows\SysWOW64\Gameonno.exe Gifmnpnl.exe File created C:\Windows\SysWOW64\Jiikak32.exe Jfkoeppq.exe File created C:\Windows\SysWOW64\Kilhgk32.exe Kgmlkp32.exe File created C:\Windows\SysWOW64\Oimhnoch.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Lbhnnj32.dll Kmnjhioc.exe File created C:\Windows\SysWOW64\Bejkjg32.dll Hjhfnccl.exe File created C:\Windows\SysWOW64\Nqiogp32.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Dlddhggk.dll Nqmhbpba.exe File opened for modification C:\Windows\SysWOW64\Dpacfd32.exe Dhjkdg32.exe File created C:\Windows\SysWOW64\Ockmjg32.dll Dfdbojmq.exe File opened for modification C:\Windows\SysWOW64\Hjolnb32.exe Hbhdmd32.exe File created C:\Windows\SysWOW64\Ifopiajn.exe Ipegmg32.exe File created C:\Windows\SysWOW64\Jkdnpo32.exe Jdjfcecp.exe File created C:\Windows\SysWOW64\Jflepa32.dll Jfkoeppq.exe File opened for modification C:\Windows\SysWOW64\Lklnhlfb.exe Lcdegnep.exe File created C:\Windows\SysWOW64\Jjblifaf.dll Mcklgm32.exe File created C:\Windows\SysWOW64\Pponmema.dll Nnjbke32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Beppmmoi.exe Boegpc32.exe File created C:\Windows\SysWOW64\Gbgkfg32.exe Goiojk32.exe File opened for modification C:\Windows\SysWOW64\Hadkpm32.exe Hmioonpn.exe File created C:\Windows\SysWOW64\Jgiacnii.dll Jpgdbg32.exe File created C:\Windows\SysWOW64\Ggcjqj32.dll Jiphkm32.exe File created C:\Windows\SysWOW64\Lcmofolg.exe Lpocjdld.exe File opened for modification C:\Windows\SysWOW64\Laopdgcg.exe Liggbi32.exe File created C:\Windows\SysWOW64\Baojaoke.exe Bpnnig32.exe File created C:\Windows\SysWOW64\Djlddi32.exe Dcalgo32.exe File created C:\Windows\SysWOW64\Gmggiogn.dll Ehlaaddj.exe File created C:\Windows\SysWOW64\Lgabcngj.dll Hboagf32.exe File opened for modification C:\Windows\SysWOW64\Jjpeepnb.exe Jfdida32.exe File created C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Nqklmpdd.exe Nnmopdep.exe File created C:\Windows\SysWOW64\Bifbbllg.exe Baojaoke.exe File opened for modification C:\Windows\SysWOW64\Gfhqbe32.exe Gbldaffp.exe File created C:\Windows\SysWOW64\Hjmoibog.exe Hfachc32.exe File created C:\Windows\SysWOW64\Kgphpo32.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Lddbqa32.exe Lphfpbdi.exe File opened for modification C:\Windows\SysWOW64\Epopgbia.exe Ehhgfdho.exe File created C:\Windows\SysWOW64\Gimjhafg.exe Gfnnlffc.exe File created C:\Windows\SysWOW64\Ifegaglc.dll Gfedle32.exe File created C:\Windows\SysWOW64\Ikjmhmfd.dll Imdnklfp.exe File created C:\Windows\SysWOW64\Ehifigof.dll Jpojcf32.exe File opened for modification C:\Windows\SysWOW64\Kmnjhioc.exe Kibnhjgj.exe File created C:\Windows\SysWOW64\Bhdibj32.exe Bbhqjchp.exe File created C:\Windows\SysWOW64\Chphoh32.exe Cafpanem.exe File opened for modification C:\Windows\SysWOW64\Dcalgo32.exe Dpcpkc32.exe File opened for modification C:\Windows\SysWOW64\Epmcab32.exe Ehekqe32.exe File created C:\Windows\SysWOW64\Ehonfc32.exe Efpajh32.exe File created C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Ffekegon.exe Fokbim32.exe File opened for modification C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File created C:\Windows\SysWOW64\Jpojcf32.exe Jmpngk32.exe File opened for modification C:\Windows\SysWOW64\Clqnjf32.exe Cefemliq.exe File created C:\Windows\SysWOW64\Mdmiambh.dll Dhjkdg32.exe File created C:\Windows\SysWOW64\Kpepcedo.exe Kmgdgjek.exe File opened for modification C:\Windows\SysWOW64\Kcifkp32.exe Kdffocib.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7172 7800 WerFault.exe 337 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bpnnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmgkke.dll" Cekohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll" Dpcpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll" Ijfboafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpepcedo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Nkqpjidj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll" Dpacfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecmlcmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffjdqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hclakimb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgekbljc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Debeijoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmclmabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giacca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnmopdep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgjcg32.dll" Bpnnig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll" Ecdbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll" Gbgkfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfdida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfffjqdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll" Mjeddggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgkno32.dll" Baaggo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fokbim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gameonno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll" Ipegmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdopod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdcijcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmpfbln.dll" Chphoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coojfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll" Dchbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll" Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" Mpmokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqddbnon.dll" Bhgehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll" Fjcclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll" Gjlfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haggelfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laopdgcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laalifad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcikolnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmoliohh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll" Jangmibi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmlnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll" Fcikolnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfnnlffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll" Iannfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll" Jiikak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lijdhiaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" Mnocof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcedaheh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbhqjchp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 704 wrote to memory of 3820 704 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 83 PID 704 wrote to memory of 3820 704 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 83 PID 704 wrote to memory of 3820 704 5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe 83 PID 3820 wrote to memory of 1140 3820 Abedecjb.exe 84 PID 3820 wrote to memory of 1140 3820 Abedecjb.exe 84 PID 3820 wrote to memory of 1140 3820 Abedecjb.exe 84 PID 1140 wrote to memory of 1932 1140 Aiolam32.exe 85 PID 1140 wrote to memory of 1932 1140 Aiolam32.exe 85 PID 1140 wrote to memory of 1932 1140 Aiolam32.exe 85 PID 1932 wrote to memory of 2416 1932 Blnhni32.exe 86 PID 1932 wrote to memory of 2416 1932 Blnhni32.exe 86 PID 1932 wrote to memory of 2416 1932 Blnhni32.exe 86 PID 2416 wrote to memory of 3140 2416 Bbhqjchp.exe 87 PID 2416 wrote to memory of 3140 2416 Bbhqjchp.exe 87 PID 2416 wrote to memory of 3140 2416 Bbhqjchp.exe 87 PID 3140 wrote to memory of 3564 3140 Bhdibj32.exe 88 PID 3140 wrote to memory of 3564 3140 Bhdibj32.exe 88 PID 3140 wrote to memory of 3564 3140 Bhdibj32.exe 88 PID 3564 wrote to memory of 2252 3564 Bpladg32.exe 89 PID 3564 wrote to memory of 2252 3564 Bpladg32.exe 89 PID 3564 wrote to memory of 2252 3564 Bpladg32.exe 89 PID 2252 wrote to memory of 1440 2252 Bammlomg.exe 90 PID 2252 wrote to memory of 1440 2252 Bammlomg.exe 90 PID 2252 wrote to memory of 1440 2252 Bammlomg.exe 90 PID 1440 wrote to memory of 3720 1440 Bhgehi32.exe 91 PID 1440 wrote to memory of 3720 1440 Bhgehi32.exe 91 PID 1440 wrote to memory of 3720 1440 Bhgehi32.exe 91 PID 3720 wrote to memory of 5036 3720 Bpnnig32.exe 92 PID 3720 wrote to memory of 5036 3720 Bpnnig32.exe 92 PID 3720 wrote to memory of 5036 3720 Bpnnig32.exe 92 PID 5036 wrote to memory of 4944 5036 Baojaoke.exe 93 PID 5036 wrote to memory of 4944 5036 Baojaoke.exe 93 PID 5036 wrote to memory of 4944 5036 Baojaoke.exe 93 PID 4944 wrote to memory of 2420 4944 Bifbbllg.exe 94 PID 4944 wrote to memory of 2420 4944 Bifbbllg.exe 94 PID 4944 wrote to memory of 2420 4944 Bifbbllg.exe 94 PID 2420 wrote to memory of 2872 2420 Bockjc32.exe 95 PID 2420 wrote to memory of 2872 2420 Bockjc32.exe 95 PID 2420 wrote to memory of 2872 2420 Bockjc32.exe 95 PID 2872 wrote to memory of 1656 2872 Baaggo32.exe 96 PID 2872 wrote to memory of 1656 2872 Baaggo32.exe 96 PID 2872 wrote to memory of 1656 2872 Baaggo32.exe 96 PID 1656 wrote to memory of 2280 1656 Bemcgmak.exe 97 PID 1656 wrote to memory of 2280 1656 Bemcgmak.exe 97 PID 1656 wrote to memory of 2280 1656 Bemcgmak.exe 97 PID 2280 wrote to memory of 3580 2280 Bpcgdfaa.exe 98 PID 2280 wrote to memory of 3580 2280 Bpcgdfaa.exe 98 PID 2280 wrote to memory of 3580 2280 Bpcgdfaa.exe 98 PID 3580 wrote to memory of 1644 3580 Boegpc32.exe 99 PID 3580 wrote to memory of 1644 3580 Boegpc32.exe 99 PID 3580 wrote to memory of 1644 3580 Boegpc32.exe 99 PID 1644 wrote to memory of 3916 1644 Beppmmoi.exe 100 PID 1644 wrote to memory of 3916 1644 Beppmmoi.exe 100 PID 1644 wrote to memory of 3916 1644 Beppmmoi.exe 100 PID 3916 wrote to memory of 3336 3916 Chnlihnl.exe 101 PID 3916 wrote to memory of 3336 3916 Chnlihnl.exe 101 PID 3916 wrote to memory of 3336 3916 Chnlihnl.exe 101 PID 3336 wrote to memory of 3236 3336 Cohdebfi.exe 102 PID 3336 wrote to memory of 3236 3336 Cohdebfi.exe 102 PID 3336 wrote to memory of 3236 3336 Cohdebfi.exe 102 PID 3236 wrote to memory of 908 3236 Cafpanem.exe 104 PID 3236 wrote to memory of 908 3236 Cafpanem.exe 104 PID 3236 wrote to memory of 908 3236 Cafpanem.exe 104 PID 908 wrote to memory of 5080 908 Chphoh32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d2f65b844213aa26a92e1e498b1e190_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Blnhni32.exeC:\Windows\system32\Blnhni32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Baojaoke.exeC:\Windows\system32\Baojaoke.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Bpcgdfaa.exeC:\Windows\system32\Bpcgdfaa.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Beppmmoi.exeC:\Windows\system32\Beppmmoi.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Chnlihnl.exeC:\Windows\system32\Chnlihnl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Cohdebfi.exeC:\Windows\system32\Cohdebfi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Cafpanem.exeC:\Windows\system32\Cafpanem.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Cojqkbdf.exeC:\Windows\system32\Cojqkbdf.exe23⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe26⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Cefemliq.exeC:\Windows\system32\Cefemliq.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Clqnjf32.exeC:\Windows\system32\Clqnjf32.exe28⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Coojfa32.exeC:\Windows\system32\Coojfa32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe30⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe32⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Cekohk32.exeC:\Windows\system32\Cekohk32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Dhjkdg32.exeC:\Windows\system32\Dhjkdg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Dcopbp32.exeC:\Windows\system32\Dcopbp32.exe36⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Denlnk32.exeC:\Windows\system32\Denlnk32.exe37⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Dhlhjf32.exeC:\Windows\system32\Dhlhjf32.exe38⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4184 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe41⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Dljqpd32.exeC:\Windows\system32\Dljqpd32.exe42⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe43⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Dagiil32.exeC:\Windows\system32\Dagiil32.exe44⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Debeijoc.exeC:\Windows\system32\Debeijoc.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Dokjbp32.exeC:\Windows\system32\Dokjbp32.exe48⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4124 -
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe50⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Efgodj32.exeC:\Windows\system32\Efgodj32.exe52⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Ehekqe32.exeC:\Windows\system32\Ehekqe32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4664 -
C:\Windows\SysWOW64\Epmcab32.exeC:\Windows\system32\Epmcab32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ebnoikqb.exeC:\Windows\system32\Ebnoikqb.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3612 -
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ecmlcmhe.exeC:\Windows\system32\Ecmlcmhe.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Ejgdpg32.exeC:\Windows\system32\Ejgdpg32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe60⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe61⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe62⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe64⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4712 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Ehonfc32.exeC:\Windows\system32\Ehonfc32.exe67⤵PID:3304
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe68⤵
- Modifies registry class
PID:656 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe69⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe70⤵PID:5104
-
C:\Windows\SysWOW64\Fqhbmqqg.exeC:\Windows\system32\Fqhbmqqg.exe71⤵PID:2768
-
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336 -
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe74⤵PID:4264
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe75⤵
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\Fjcclf32.exeC:\Windows\system32\Fjcclf32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe77⤵PID:4872
-
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe78⤵PID:4876
-
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe79⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4864 -
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe81⤵PID:1884
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe82⤵PID:4680
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe83⤵PID:2012
-
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe84⤵PID:4732
-
C:\Windows\SysWOW64\Gfnnlffc.exeC:\Windows\system32\Gfnnlffc.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe86⤵PID:2128
-
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe87⤵PID:2376
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe88⤵PID:5124
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe91⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe92⤵
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Gpklpkio.exeC:\Windows\system32\Gpklpkio.exe93⤵PID:5368
-
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe94⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Gidphq32.exeC:\Windows\system32\Gidphq32.exe95⤵PID:5452
-
C:\Windows\SysWOW64\Gmoliohh.exeC:\Windows\system32\Gmoliohh.exe96⤵
- Modifies registry class
PID:5496 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe98⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe99⤵PID:5652
-
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe100⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Gameonno.exeC:\Windows\system32\Gameonno.exe101⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Hclakimb.exeC:\Windows\system32\Hclakimb.exe102⤵
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe103⤵
- Drops file in System32 directory
PID:5828 -
C:\Windows\SysWOW64\Hjfihc32.exeC:\Windows\system32\Hjfihc32.exe104⤵PID:5872
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe105⤵PID:5932
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe106⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6028 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe108⤵
- Modifies registry class
PID:6076 -
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe109⤵PID:6116
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe110⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe111⤵PID:5140
-
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe112⤵
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe114⤵PID:5376
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5432 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe116⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe117⤵
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe120⤵PID:5812
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-