Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:31
Behavioral task
behavioral1
Sample
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe
-
Size
669KB
-
MD5
ce5aa4e2369141189fec36c3f7a819e0
-
SHA1
1e1717a2b6bf9c776abbf560ccf0f928c4fca988
-
SHA256
56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512
-
SHA512
475c29c4bdc434db48f6e3f746b6624b94d52973df296e7b9083db865983da9859eab3842e2eac702920cc08f2650af5f6c736823a9d8701eb72088eae9cb643
-
SSDEEP
12288:neO0rceVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:b03chMpQnqrdX72LbY6x46uR/qYglMi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iieepbje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjobffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclfag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelhmlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okinik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bidlgdlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eodicd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glnhjjml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndhnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpfbegei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdngip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejnfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjifodii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmcjedcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfalj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbmfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhincn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oielnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhjamcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhiiloh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebcmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogibnha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkbmbl32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000014698-5.dat family_berbew behavioral1/files/0x002b000000014c67-26.dat family_berbew behavioral1/files/0x00070000000155d4-32.dat family_berbew behavioral1/files/0x00090000000155e2-46.dat family_berbew behavioral1/files/0x0006000000016d01-66.dat family_berbew behavioral1/files/0x0006000000016d24-73.dat family_berbew behavioral1/files/0x0006000000016d41-86.dat family_berbew behavioral1/files/0x0006000000016d4f-105.dat family_berbew behavioral1/files/0x0006000000016e56-132.dat family_berbew behavioral1/files/0x0006000000017090-148.dat family_berbew behavioral1/files/0x0005000000018698-157.dat family_berbew behavioral1/files/0x0006000000018ae2-180.dat family_berbew behavioral1/files/0x0006000000018b15-185.dat family_berbew behavioral1/files/0x0006000000018b37-198.dat family_berbew behavioral1/files/0x0006000000018b4a-216.dat family_berbew behavioral1/files/0x0006000000018b73-228.dat family_berbew behavioral1/files/0x00050000000192c9-249.dat family_berbew behavioral1/files/0x0005000000019368-265.dat family_berbew behavioral1/files/0x000500000001939b-278.dat family_berbew behavioral1/files/0x0005000000019410-287.dat family_berbew behavioral1/files/0x0005000000019485-311.dat family_berbew behavioral1/files/0x00050000000194ea-340.dat family_berbew behavioral1/files/0x00040000000194dc-330.dat family_berbew behavioral1/files/0x00050000000194ef-351.dat family_berbew behavioral1/memory/2528-392-0x0000000000220000-0x0000000000254000-memory.dmp family_berbew behavioral1/files/0x000500000001959e-395.dat family_berbew behavioral1/files/0x0005000000019570-384.dat family_berbew behavioral1/files/0x00050000000195a4-407.dat family_berbew behavioral1/files/0x0005000000019bd7-474.dat family_berbew behavioral1/files/0x0005000000019bef-484.dat family_berbew behavioral1/files/0x0005000000019ce6-493.dat family_berbew behavioral1/files/0x0005000000019d59-505.dat family_berbew behavioral1/files/0x0005000000019f60-517.dat family_berbew behavioral1/files/0x000500000001a013-524.dat family_berbew behavioral1/files/0x000500000001a2d0-536.dat family_berbew behavioral1/files/0x000500000001a3c2-548.dat family_berbew behavioral1/files/0x000500000001a3c8-558.dat family_berbew behavioral1/files/0x000500000001a3d4-568.dat family_berbew behavioral1/files/0x000500000001a429-580.dat family_berbew behavioral1/files/0x000500000001a431-588.dat family_berbew behavioral1/files/0x000500000001a43b-601.dat family_berbew behavioral1/files/0x000500000001a447-623.dat family_berbew behavioral1/files/0x000500000001a44b-633.dat family_berbew behavioral1/files/0x000500000001a45b-675.dat family_berbew behavioral1/files/0x000500000001a45f-685.dat family_berbew behavioral1/files/0x000500000001a463-694.dat family_berbew behavioral1/files/0x000500000001a467-707.dat family_berbew behavioral1/files/0x000500000001a46c-717.dat family_berbew behavioral1/files/0x000500000001a474-747.dat family_berbew behavioral1/files/0x000500000001a470-734.dat family_berbew behavioral1/files/0x000500000001a479-760.dat family_berbew behavioral1/files/0x000500000001a47d-775.dat family_berbew behavioral1/files/0x000500000001a457-664.dat family_berbew behavioral1/files/0x000500000001a453-652.dat family_berbew behavioral1/files/0x000500000001a44f-642.dat family_berbew behavioral1/files/0x000500000001a443-612.dat family_berbew behavioral1/files/0x000500000001a489-803.dat family_berbew behavioral1/files/0x000500000001a484-792.dat family_berbew behavioral1/files/0x000500000001a543-821.dat family_berbew behavioral1/files/0x000500000001ad1c-830.dat family_berbew behavioral1/files/0x000500000001c288-845.dat family_berbew behavioral1/files/0x000500000001c71e-874.dat family_berbew behavioral1/files/0x000500000001c78b-885.dat family_berbew behavioral1/files/0x000500000001c82d-899.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2784 Bmibgd32.exe 2504 Bidlgdlk.exe 2516 Bpqain32.exe 2636 Cebcmdlg.exe 2628 Cojhejbh.exe 2984 Dojddmec.exe 1396 Dhbhmb32.exe 1068 Ehgbhbgn.exe 2696 Eabcggll.exe 2756 Elldgehk.exe 1948 Egahen32.exe 2320 Fcmben32.exe 2544 Fhikme32.exe 800 Fbbofjnh.exe 2276 Hjfcpo32.exe 3036 Hhjcic32.exe 2156 Ipehmebh.exe 2272 Ibfaopoi.exe 2012 Ihhcbf32.exe 1180 Ibmgpoia.exe 1480 Jkhldafl.exe 1996 Jenpajfb.exe 564 Jdcmbgkj.exe 1680 Jaijak32.exe 3000 Jjdofm32.exe 892 Kcmcoblm.exe 1688 Kjihalag.exe 1960 Kjleflod.exe 1744 Kllnhg32.exe 2372 Lnpgeopa.exe 2528 Lkdhoc32.exe 2496 Lcomce32.exe 2880 Lmgalkcf.exe 1264 Mbkpeake.exe 1832 Miehak32.exe 2040 Mnbpjb32.exe 1384 Mlfacfpc.exe 2352 Mbpipp32.exe 1116 Mjkndb32.exe 1656 Mhonngce.exe 2720 Nfdkoc32.exe 2136 Najpll32.exe 2312 Nallalep.exe 2296 Nlfmbibo.exe 1060 Nbpeoc32.exe 1328 Olkfmi32.exe 2028 Oagoep32.exe 1808 Ookpodkj.exe 1736 Odhhgkib.exe 1564 Okdmjdol.exe 1752 Ohhmcinf.exe 2264 Oijjka32.exe 1704 Pljcllqe.exe 2492 Pincfpoo.exe 2480 Poklngnf.exe 2512 Ppkhhjei.exe 2408 Palepb32.exe 2748 Plaimk32.exe 1984 Panaeb32.exe 2588 Phhjblpa.exe 1800 Qgmfchei.exe 1120 Qackpado.exe 2704 Agpcihcf.exe 2340 Aqhhanig.exe -
Loads dropped DLL 64 IoCs
pid Process 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 2784 Bmibgd32.exe 2784 Bmibgd32.exe 2504 Bidlgdlk.exe 2504 Bidlgdlk.exe 2516 Bpqain32.exe 2516 Bpqain32.exe 2636 Cebcmdlg.exe 2636 Cebcmdlg.exe 2628 Cojhejbh.exe 2628 Cojhejbh.exe 2984 Dojddmec.exe 2984 Dojddmec.exe 1396 Dhbhmb32.exe 1396 Dhbhmb32.exe 1068 Ehgbhbgn.exe 1068 Ehgbhbgn.exe 2696 Eabcggll.exe 2696 Eabcggll.exe 2756 Elldgehk.exe 2756 Elldgehk.exe 1948 Egahen32.exe 1948 Egahen32.exe 2320 Fcmben32.exe 2320 Fcmben32.exe 2544 Fhikme32.exe 2544 Fhikme32.exe 800 Fbbofjnh.exe 800 Fbbofjnh.exe 2276 Hjfcpo32.exe 2276 Hjfcpo32.exe 3036 Hhjcic32.exe 3036 Hhjcic32.exe 2156 Ipehmebh.exe 2156 Ipehmebh.exe 2272 Ibfaopoi.exe 2272 Ibfaopoi.exe 2012 Ihhcbf32.exe 2012 Ihhcbf32.exe 1180 Ibmgpoia.exe 1180 Ibmgpoia.exe 1480 Jkhldafl.exe 1480 Jkhldafl.exe 1996 Jenpajfb.exe 1996 Jenpajfb.exe 564 Jdcmbgkj.exe 564 Jdcmbgkj.exe 1680 Jaijak32.exe 1680 Jaijak32.exe 3000 Jjdofm32.exe 3000 Jjdofm32.exe 892 Kcmcoblm.exe 892 Kcmcoblm.exe 1688 Kjihalag.exe 1688 Kjihalag.exe 1960 Kjleflod.exe 1960 Kjleflod.exe 1744 Kllnhg32.exe 1744 Kllnhg32.exe 2372 Lnpgeopa.exe 2372 Lnpgeopa.exe 2528 Lkdhoc32.exe 2528 Lkdhoc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oioipf32.exe Oimmjffj.exe File created C:\Windows\SysWOW64\Onldqejb.exe Oiokholk.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Miehak32.exe File created C:\Windows\SysWOW64\Cnnnnh32.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Bnllhjif.dll Jdhifooi.exe File created C:\Windows\SysWOW64\Ielqinkm.dll Eogolc32.exe File opened for modification C:\Windows\SysWOW64\Mhninb32.exe Mndhnd32.exe File created C:\Windows\SysWOW64\Alonfb32.dll Mndhnd32.exe File created C:\Windows\SysWOW64\Clefdcog.exe Cbpbgk32.exe File opened for modification C:\Windows\SysWOW64\Gpjmnh32.exe Fogdap32.exe File created C:\Windows\SysWOW64\Lcomce32.exe Lkdhoc32.exe File created C:\Windows\SysWOW64\Okbapi32.exe Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Lbbnjgik.exe Lmeebpkd.exe File created C:\Windows\SysWOW64\Gfblih32.dll Ompefj32.exe File created C:\Windows\SysWOW64\Fphbpd32.dll Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Klmqapci.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Dnpebj32.exe Cqleifna.exe File created C:\Windows\SysWOW64\Jcdddneh.dll Fegjgkla.exe File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Egahen32.exe File created C:\Windows\SysWOW64\Cbgmigeq.exe Cjlheehe.exe File created C:\Windows\SysWOW64\Fjlmpfhg.exe Fogibnha.exe File opened for modification C:\Windows\SysWOW64\Mqpflg32.exe Mfjann32.exe File created C:\Windows\SysWOW64\Oaghki32.exe Ohncbdbd.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pifbjn32.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Cgoelh32.exe File opened for modification C:\Windows\SysWOW64\Glnhjjml.exe Gojhafnb.exe File opened for modification C:\Windows\SysWOW64\Mlfacfpc.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Cbdkbjkl.exe Chlgid32.exe File created C:\Windows\SysWOW64\Lmalgq32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hffibceh.exe File opened for modification C:\Windows\SysWOW64\Nbpghl32.exe Nihcog32.exe File created C:\Windows\SysWOW64\Fogiamne.dll Lmalgq32.exe File created C:\Windows\SysWOW64\Cebcmdlg.exe Bpqain32.exe File created C:\Windows\SysWOW64\Bbhccm32.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Kolpjh32.dll Cbpbgk32.exe File created C:\Windows\SysWOW64\Cbbomjnn.exe Clefdcog.exe File created C:\Windows\SysWOW64\Faeihnam.dll Hoimecmb.exe File opened for modification C:\Windows\SysWOW64\Jcikog32.exe Jnifaajh.exe File created C:\Windows\SysWOW64\Cdngip32.exe Ckecpjdh.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bdqlajbb.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hpphhp32.exe File created C:\Windows\SysWOW64\Fhjboh32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Jmfafgbd.exe Jbqmhnbo.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Eegkpo32.exe File created C:\Windows\SysWOW64\Acicla32.exe Addfkeid.exe File opened for modification C:\Windows\SysWOW64\Lmeebpkd.exe Lkelpd32.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Jjdofm32.exe File created C:\Windows\SysWOW64\Bggaoocn.dll Bbjmpcab.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Apgagg32.exe File created C:\Windows\SysWOW64\Annjfl32.dll Llbconkd.exe File opened for modification C:\Windows\SysWOW64\Mjfphf32.exe Mkacfiga.exe File created C:\Windows\SysWOW64\Fogdap32.exe Fdapcg32.exe File opened for modification C:\Windows\SysWOW64\Dhiphb32.exe Dnckki32.exe File opened for modification C:\Windows\SysWOW64\Dojddmec.exe Cojhejbh.exe File created C:\Windows\SysWOW64\Lbcbjlmb.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Mbhlek32.exe Lqipkhbj.exe File created C:\Windows\SysWOW64\Mqpflg32.exe Mfjann32.exe File created C:\Windows\SysWOW64\Gcppkbia.exe Gkpakq32.exe File created C:\Windows\SysWOW64\Pincfpoo.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Fofbhgde.exe Fhjmfnok.exe File created C:\Windows\SysWOW64\Acejfl32.dll Kbbobkol.exe File created C:\Windows\SysWOW64\Alddjg32.exe Anogijnb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1576 4628 WerFault.exe 504 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmlgnnl.dll" Oielnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhgonnp.dll" Fdapcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll" Dbadagln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndape32.dll" Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqipkhbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Honnki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qplbjk32.dll" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohlogok.dll" Hfcjdkpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkloned.dll" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkgcdc.dll" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boandf32.dll" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okbapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdkmd32.dll" Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehiqh32.dll" Hbggif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giacpp32.dll" Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnmgdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaqogml.dll" Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnmeelc.dll" Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffodjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfflql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkbipak.dll" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekkhdgo.dll" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjfphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapejnp.dll" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggaoocn.dll" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goiehm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obkcajde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Hclfag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2784 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2784 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2784 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2784 2892 56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2504 2784 Bmibgd32.exe 29 PID 2784 wrote to memory of 2504 2784 Bmibgd32.exe 29 PID 2784 wrote to memory of 2504 2784 Bmibgd32.exe 29 PID 2784 wrote to memory of 2504 2784 Bmibgd32.exe 29 PID 2504 wrote to memory of 2516 2504 Bidlgdlk.exe 30 PID 2504 wrote to memory of 2516 2504 Bidlgdlk.exe 30 PID 2504 wrote to memory of 2516 2504 Bidlgdlk.exe 30 PID 2504 wrote to memory of 2516 2504 Bidlgdlk.exe 30 PID 2516 wrote to memory of 2636 2516 Bpqain32.exe 31 PID 2516 wrote to memory of 2636 2516 Bpqain32.exe 31 PID 2516 wrote to memory of 2636 2516 Bpqain32.exe 31 PID 2516 wrote to memory of 2636 2516 Bpqain32.exe 31 PID 2636 wrote to memory of 2628 2636 Cebcmdlg.exe 32 PID 2636 wrote to memory of 2628 2636 Cebcmdlg.exe 32 PID 2636 wrote to memory of 2628 2636 Cebcmdlg.exe 32 PID 2636 wrote to memory of 2628 2636 Cebcmdlg.exe 32 PID 2628 wrote to memory of 2984 2628 Cojhejbh.exe 33 PID 2628 wrote to memory of 2984 2628 Cojhejbh.exe 33 PID 2628 wrote to memory of 2984 2628 Cojhejbh.exe 33 PID 2628 wrote to memory of 2984 2628 Cojhejbh.exe 33 PID 2984 wrote to memory of 1396 2984 Dojddmec.exe 34 PID 2984 wrote to memory of 1396 2984 Dojddmec.exe 34 PID 2984 wrote to memory of 1396 2984 Dojddmec.exe 34 PID 2984 wrote to memory of 1396 2984 Dojddmec.exe 34 PID 1396 wrote to memory of 1068 1396 Dhbhmb32.exe 35 PID 1396 wrote to memory of 1068 1396 Dhbhmb32.exe 35 PID 1396 wrote to memory of 1068 1396 Dhbhmb32.exe 35 PID 1396 wrote to memory of 1068 1396 Dhbhmb32.exe 35 PID 1068 wrote to memory of 2696 1068 Ehgbhbgn.exe 36 PID 1068 wrote to memory of 2696 1068 Ehgbhbgn.exe 36 PID 1068 wrote to memory of 2696 1068 Ehgbhbgn.exe 36 PID 1068 wrote to memory of 2696 1068 Ehgbhbgn.exe 36 PID 2696 wrote to memory of 2756 2696 Eabcggll.exe 37 PID 2696 wrote to memory of 2756 2696 Eabcggll.exe 37 PID 2696 wrote to memory of 2756 2696 Eabcggll.exe 37 PID 2696 wrote to memory of 2756 2696 Eabcggll.exe 37 PID 2756 wrote to memory of 1948 2756 Elldgehk.exe 38 PID 2756 wrote to memory of 1948 2756 Elldgehk.exe 38 PID 2756 wrote to memory of 1948 2756 Elldgehk.exe 38 PID 2756 wrote to memory of 1948 2756 Elldgehk.exe 38 PID 1948 wrote to memory of 2320 1948 Egahen32.exe 39 PID 1948 wrote to memory of 2320 1948 Egahen32.exe 39 PID 1948 wrote to memory of 2320 1948 Egahen32.exe 39 PID 1948 wrote to memory of 2320 1948 Egahen32.exe 39 PID 2320 wrote to memory of 2544 2320 Fcmben32.exe 40 PID 2320 wrote to memory of 2544 2320 Fcmben32.exe 40 PID 2320 wrote to memory of 2544 2320 Fcmben32.exe 40 PID 2320 wrote to memory of 2544 2320 Fcmben32.exe 40 PID 2544 wrote to memory of 800 2544 Fhikme32.exe 41 PID 2544 wrote to memory of 800 2544 Fhikme32.exe 41 PID 2544 wrote to memory of 800 2544 Fhikme32.exe 41 PID 2544 wrote to memory of 800 2544 Fhikme32.exe 41 PID 800 wrote to memory of 2276 800 Fbbofjnh.exe 42 PID 800 wrote to memory of 2276 800 Fbbofjnh.exe 42 PID 800 wrote to memory of 2276 800 Fbbofjnh.exe 42 PID 800 wrote to memory of 2276 800 Fbbofjnh.exe 42 PID 2276 wrote to memory of 3036 2276 Hjfcpo32.exe 43 PID 2276 wrote to memory of 3036 2276 Hjfcpo32.exe 43 PID 2276 wrote to memory of 3036 2276 Hjfcpo32.exe 43 PID 2276 wrote to memory of 3036 2276 Hjfcpo32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\56403b204843697e94304034a7871c04d96d2769fc15ff3c99fda0f406e52512_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Egahen32.exeC:\Windows\system32\Egahen32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe33⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe34⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe35⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe38⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe39⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe40⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe41⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe42⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe46⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe47⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe49⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe50⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe51⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe52⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe53⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe55⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe56⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe58⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe59⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe61⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe63⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe64⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe65⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe66⤵PID:2300
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe67⤵PID:324
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe68⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe69⤵PID:2856
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe70⤵PID:696
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe72⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe74⤵PID:2992
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe75⤵
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe76⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe77⤵PID:968
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe78⤵PID:580
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe79⤵PID:2228
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe80⤵PID:3048
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe82⤵PID:2548
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe83⤵PID:1888
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe84⤵PID:1484
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe85⤵PID:1980
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe86⤵PID:1952
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe87⤵PID:2140
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe88⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe89⤵PID:2368
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe90⤵PID:1792
-
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe93⤵PID:1596
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe94⤵PID:1072
-
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe95⤵PID:2344
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe96⤵PID:1156
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe97⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe100⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe101⤵PID:2284
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe102⤵PID:1956
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe103⤵PID:2932
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe104⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe105⤵PID:520
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe106⤵PID:2424
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe107⤵PID:2144
-
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe108⤵PID:832
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe109⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe110⤵PID:1504
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe112⤵PID:912
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe114⤵PID:1916
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe115⤵PID:884
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe116⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe118⤵PID:2792
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe119⤵PID:1696
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe120⤵PID:2116
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe121⤵PID:1976
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe122⤵PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-