Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 16:19
General
-
Target
129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
-
Size
282KB
-
MD5
129a5c3a35af8a88138945b19e005bc0
-
SHA1
3ad8d32ae0f8f12e10a425b623bdd3997b6e421b
-
SHA256
9168ae0c6a9ae5627eefaae0716954a6e0375b6a512a19f722971f88d58ed497
-
SHA512
e81408573c3820e77aa99bff53d94854ba87cc8595d081b3456d59c4fa4147a5d0faa9024bf62a29231144b15c0256ec3dbb73f24824fb63770c841d4feceeb8
-
SSDEEP
6144:hLmIHtskDVmsF+ALzKvz6T/nQckEjiPISUOgW9X+hOGzC/:NLdVmcTLzKvz6jkmZzcukG2/
Score
10/10
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 18 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WHA.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\WHA.exeC:\windows\system\WHA.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CHHS.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\CHHS.exeC:\windows\system\CHHS.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SPKEPK.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SPKEPK.exeC:\windows\SPKEPK.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OVI.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\OVI.exeC:\windows\system32\OVI.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WAV.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\WAV.exeC:\windows\system\WAV.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\VLXYQYR.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\VLXYQYR.exeC:\windows\VLXYQYR.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DBY.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\DBY.exeC:\windows\system32\DBY.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UKN.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\UKN.exeC:\windows\UKN.exe17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QPTSQ.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\QPTSQ.exeC:\windows\system\QPTSQ.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KIADZ.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\KIADZ.exeC:\windows\system\KIADZ.exe21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\CLEYNDV.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\CLEYNDV.exeC:\windows\system\CLEYNDV.exe23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\YIMKP.exe.bat" "24⤵
-
C:\windows\system\YIMKP.exeC:\windows\system\YIMKP.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\LOY.exe.bat" "26⤵
-
C:\windows\LOY.exeC:\windows\LOY.exe27⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZRUU.exe.bat" "28⤵
-
C:\windows\ZRUU.exeC:\windows\ZRUU.exe29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QZJS.exe.bat" "30⤵
-
C:\windows\system\QZJS.exeC:\windows\system\QZJS.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WVUT.exe.bat" "32⤵
-
C:\windows\system\WVUT.exeC:\windows\system\WVUT.exe33⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XYY.exe.bat" "34⤵
-
C:\windows\system\XYY.exeC:\windows\system\XYY.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FDLVVFJ.exe.bat" "36⤵
-
C:\windows\system\FDLVVFJ.exeC:\windows\system\FDLVVFJ.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RTEV.exe.bat" "38⤵
-
C:\windows\SysWOW64\RTEV.exeC:\windows\system32\RTEV.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GJFUPFV.exe.bat" "40⤵
-
C:\windows\GJFUPFV.exeC:\windows\GJFUPFV.exe41⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PJH.exe.bat" "42⤵
-
C:\windows\system\PJH.exeC:\windows\system\PJH.exe43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZHMUIK.exe.bat" "44⤵
-
C:\windows\ZHMUIK.exeC:\windows\ZHMUIK.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\PXA.exe.bat" "46⤵
-
C:\windows\SysWOW64\PXA.exeC:\windows\system32\PXA.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CIEKVRQ.exe.bat" "48⤵
-
C:\windows\CIEKVRQ.exeC:\windows\CIEKVRQ.exe49⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\KOIRGPL.exe.bat" "50⤵
-
C:\windows\system\KOIRGPL.exeC:\windows\system\KOIRGPL.exe51⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\MLWLVY.exe.bat" "52⤵
-
C:\windows\SysWOW64\MLWLVY.exeC:\windows\system32\MLWLVY.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NOA.exe.bat" "54⤵
-
C:\windows\system\NOA.exeC:\windows\system\NOA.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\AZI.exe.bat" "56⤵
-
C:\windows\system\AZI.exeC:\windows\system\AZI.exe57⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\EHPFB.exe.bat" "58⤵
-
C:\windows\EHPFB.exeC:\windows\EHPFB.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TXQF.exe.bat" "60⤵
-
C:\windows\SysWOW64\TXQF.exeC:\windows\system32\TXQF.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BDD.exe.bat" "62⤵
-
C:\windows\BDD.exeC:\windows\BDD.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\FTJTXV.exe.bat" "64⤵
-
C:\windows\system\FTJTXV.exeC:\windows\system\FTJTXV.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\NYJIYA.exe.bat" "66⤵
-
C:\windows\system\NYJIYA.exeC:\windows\system\NYJIYA.exe67⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VMOOJG.exe.bat" "68⤵
-
C:\windows\SysWOW64\VMOOJG.exeC:\windows\system32\VMOOJG.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ERYHZDY.exe.bat" "70⤵
-
C:\windows\ERYHZDY.exeC:\windows\ERYHZDY.exe71⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\YFFFEFU.exe.bat" "72⤵
-
C:\windows\SysWOW64\YFFFEFU.exeC:\windows\system32\YFFFEFU.exe73⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ACLZLND.exe.bat" "74⤵
-
C:\windows\ACLZLND.exeC:\windows\ACLZLND.exe75⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KAZL.exe.bat" "76⤵
-
C:\windows\SysWOW64\KAZL.exeC:\windows\system32\KAZL.exe77⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ILB.exe.bat" "78⤵
-
C:\windows\system\ILB.exeC:\windows\system\ILB.exe79⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\WWKAPM.exe.bat" "80⤵
-
C:\windows\SysWOW64\WWKAPM.exeC:\windows\system32\WWKAPM.exe81⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TMXR.exe.bat" "82⤵
-
C:\windows\SysWOW64\TMXR.exeC:\windows\system32\TMXR.exe83⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OHCBH.exe.bat" "84⤵
-
C:\windows\SysWOW64\OHCBH.exeC:\windows\system32\OHCBH.exe85⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WNPHS.exe.bat" "86⤵
-
C:\windows\WNPHS.exeC:\windows\WNPHS.exe87⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QAURCRJ.exe.bat" "88⤵
-
C:\windows\system\QAURCRJ.exeC:\windows\system\QAURCRJ.exe89⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GQVQJ.exe.bat" "90⤵
-
C:\windows\GQVQJ.exeC:\windows\GQVQJ.exe91⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TBD.exe.bat" "92⤵
-
C:\windows\system\TBD.exeC:\windows\system\TBD.exe93⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GZDTZBD.exe.bat" "94⤵
-
C:\windows\GZDTZBD.exeC:\windows\GZDTZBD.exe95⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QWRNHK.exe.bat" "96⤵
-
C:\windows\system\QWRNHK.exeC:\windows\system\QWRNHK.exe97⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IFFSTB.exe.bat" "98⤵
-
C:\windows\SysWOW64\IFFSTB.exeC:\windows\system32\IFFSTB.exe99⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KCLFJJ.exe.bat" "100⤵
-
C:\windows\SysWOW64\KCLFJJ.exeC:\windows\system32\KCLFJJ.exe101⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UVU.exe.bat" "102⤵
-
C:\windows\SysWOW64\UVU.exeC:\windows\system32\UVU.exe103⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QBABUOH.exe.bat" "104⤵
-
C:\windows\system\QBABUOH.exeC:\windows\system\QBABUOH.exe105⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\ORNTK.exe.bat" "106⤵
-
C:\windows\system\ORNTK.exeC:\windows\system\ORNTK.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DHBKRKE.exe.bat" "108⤵
-
C:\windows\DHBKRKE.exeC:\windows\DHBKRKE.exe109⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JHIYIEG.exe.bat" "110⤵
-
C:\windows\JHIYIEG.exeC:\windows\JHIYIEG.exe111⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\GHK.exe.bat" "112⤵
-
C:\windows\SysWOW64\GHK.exeC:\windows\system32\GHK.exe113⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\FDDLWT.exe.bat" "114⤵
-
C:\windows\SysWOW64\FDDLWT.exeC:\windows\system32\FDDLWT.exe115⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\AQI.exe.bat" "116⤵
-
C:\windows\AQI.exeC:\windows\AQI.exe117⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IEUBRSJ.exe.bat" "118⤵
-
C:\windows\SysWOW64\IEUBRSJ.exeC:\windows\system32\IEUBRSJ.exe119⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\VODAFUE.exe.bat" "120⤵
-
C:\windows\system\VODAFUE.exeC:\windows\system\VODAFUE.exe121⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-