Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
28-05-2024 04:44
General
-
Target
32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
-
Size
282KB
-
MD5
32facde47575d88303a6deceae2454a0
-
SHA1
8541b6145a3b4c5d594bfd8e9afda2b45764e25b
-
SHA256
b311f0ad6efaea64cd8400e4756d611cdb553608975049cae476709c74028e5a
-
SHA512
687bdbfe674cdd0e108cc51c858237e7c125ca90add07a4bf1bc5a16a95830e0379819c52d687a8d55a82d209880aeb5a3e4eaa9b2dd98dd9d4e40ff2dad66b4
-
SSDEEP
6144:kYXEmup2uytWBvAnk3jys/kEjiPISUOgW9X+hOGzC/:knmusWBgWjPkmZzcukG2/
Score
10/10
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 19 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\SZR.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\SZR.exeC:\windows\system\SZR.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NMWPR.exe.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\NMWPR.exeC:\windows\NMWPR.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CABD.exe.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\CABD.exeC:\windows\system32\CABD.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\HDFBU.exe.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\HDFBU.exeC:\windows\system\HDFBU.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\BQR.exe.bat" "10⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\BQR.exeC:\windows\BQR.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OBVY.exe.bat" "12⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\OBVY.exeC:\windows\system32\OBVY.exe13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\EPMFZPU.exe.bat" "14⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\EPMFZPU.exeC:\windows\system\EPMFZPU.exe15⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\PHPPHX.exe.bat" "16⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\PHPPHX.exeC:\windows\PHPPHX.exe17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\XNUEKV.exe.bat" "18⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\system\XNUEKV.exeC:\windows\system\XNUEKV.exe19⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SAY.exe.bat" "20⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SAY.exeC:\windows\SAY.exe21⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\JINLH.exe.bat" "22⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\JINLH.exeC:\windows\JINLH.exe23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\CLROMKQ.exe.bat" "24⤵
-
C:\windows\SysWOW64\CLROMKQ.exeC:\windows\system32\CLROMKQ.exe25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RBSGT.exe.bat" "26⤵
-
C:\windows\RBSGT.exeC:\windows\RBSGT.exe27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\YMP.exe.bat" "28⤵
-
C:\windows\YMP.exeC:\windows\YMP.exe29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MSN.exe.bat" "30⤵
-
C:\windows\system\MSN.exeC:\windows\system\MSN.exe31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PAVI.exe.bat" "32⤵
-
C:\windows\system\PAVI.exeC:\windows\system\PAVI.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\EVFMKNI.exe.bat" "34⤵
-
C:\windows\SysWOW64\EVFMKNI.exeC:\windows\system32\EVFMKNI.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TLUSUW.exe.bat" "36⤵
-
C:\windows\SysWOW64\TLUSUW.exeC:\windows\system32\TLUSUW.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZLC.exe.bat" "38⤵
-
C:\windows\ZLC.exeC:\windows\ZLC.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QUR.exe.bat" "40⤵
-
C:\windows\system\QUR.exeC:\windows\system\QUR.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\PETTZVX.exe.bat" "42⤵
-
C:\windows\system\PETTZVX.exeC:\windows\system\PETTZVX.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\XKGAJUT.exe.bat" "44⤵
-
C:\windows\SysWOW64\XKGAJUT.exeC:\windows\system32\XKGAJUT.exe45⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\TLIKNY.exe.bat" "46⤵
-
C:\windows\system\TLIKNY.exeC:\windows\system\TLIKNY.exe47⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ZLP.exe.bat" "48⤵
-
C:\windows\ZLP.exeC:\windows\ZLP.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DTWYIK.exe.bat" "50⤵
-
C:\windows\SysWOW64\DTWYIK.exeC:\windows\system32\DTWYIK.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\JOVZNOH.exe.bat" "52⤵
-
C:\windows\SysWOW64\JOVZNOH.exeC:\windows\system32\JOVZNOH.exe53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RCINYM.exe.bat" "54⤵
-
C:\windows\SysWOW64\RCINYM.exeC:\windows\system32\RCINYM.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\TZNAFU.exe.bat" "56⤵
-
C:\windows\SysWOW64\TZNAFU.exeC:\windows\system32\TZNAFU.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\WNFJZO.exe.bat" "58⤵
-
C:\windows\WNFJZO.exeC:\windows\WNFJZO.exe59⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\QAJ.exe.bat" "60⤵
-
C:\windows\SysWOW64\QAJ.exeC:\windows\system32\QAJ.exe61⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\RDNOO.exe.bat" "62⤵
-
C:\windows\SysWOW64\RDNOO.exeC:\windows\system32\RDNOO.exe63⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\KGRS.exe.bat" "64⤵
-
C:\windows\KGRS.exeC:\windows\KGRS.exe65⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\BGTXX.exe.bat" "66⤵
-
C:\windows\system\BGTXX.exeC:\windows\system\BGTXX.exe67⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\WCKZRK.exe.bat" "68⤵
-
C:\windows\system\WCKZRK.exeC:\windows\system\WCKZRK.exe69⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\JEGFW.exe.bat" "70⤵
-
C:\windows\system\JEGFW.exeC:\windows\system\JEGFW.exe71⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\KIKB.exe.bat" "72⤵
-
C:\windows\SysWOW64\KIKB.exeC:\windows\system32\KIKB.exe73⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TIMGF.exe.bat" "74⤵
-
C:\windows\TIMGF.exeC:\windows\TIMGF.exe75⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\ILW.exe.bat" "76⤵
-
C:\windows\ILW.exeC:\windows\ILW.exe77⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\MOUFXD.exe.bat" "78⤵
-
C:\windows\MOUFXD.exeC:\windows\MOUFXD.exe79⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\OMHAF.exe.bat" "80⤵
-
C:\windows\SysWOW64\OMHAF.exeC:\windows\system32\OMHAF.exe81⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\UMPNWN.exe.bat" "82⤵
-
C:\windows\UMPNWN.exeC:\windows\UMPNWN.exe83⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NEWYFG.exe.bat" "84⤵
-
C:\windows\NEWYFG.exeC:\windows\NEWYFG.exe85⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\TAWH.exe.bat" "86⤵
-
C:\windows\TAWH.exeC:\windows\TAWH.exe87⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MVZDP.exe.bat" "88⤵
-
C:\windows\system\MVZDP.exeC:\windows\system\MVZDP.exe89⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\DIK.exe.bat" "90⤵
-
C:\windows\SysWOW64\DIK.exeC:\windows\system32\DIK.exe91⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\NQMAJ.exe.bat" "92⤵
-
C:\windows\NQMAJ.exeC:\windows\NQMAJ.exe93⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\VWYH.exe.bat" "94⤵
-
C:\windows\SysWOW64\VWYH.exeC:\windows\system32\VWYH.exe95⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\MEAUX.exe.bat" "96⤵
-
C:\windows\system\MEAUX.exeC:\windows\system\MEAUX.exe97⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\QMH.exe.bat" "98⤵
-
C:\windows\system\QMH.exeC:\windows\system\QMH.exe99⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\IPLXONV.exe.bat" "100⤵
-
C:\windows\SysWOW64\IPLXONV.exeC:\windows\system32\IPLXONV.exe101⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\SNRK.exe.bat" "102⤵
-
C:\windows\SNRK.exeC:\windows\SNRK.exe103⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\IIIWPIM.exe.bat" "104⤵
-
C:\windows\system\IIIWPIM.exeC:\windows\system\IIIWPIM.exe105⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system\GTLMYO.exe.bat" "106⤵
-
C:\windows\system\GTLMYO.exeC:\windows\system\GTLMYO.exe107⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\GZDTZBD.exe.bat" "108⤵
-
C:\windows\GZDTZBD.exeC:\windows\GZDTZBD.exe109⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\UJTRN.exe.bat" "110⤵
-
C:\windows\SysWOW64\UJTRN.exeC:\windows\system32\UJTRN.exe111⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\system32\SUWH.exe.bat" "112⤵
-
C:\windows\SysWOW64\SUWH.exeC:\windows\system32\SUWH.exe113⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\HPGMHFV.exe.bat" "114⤵
-
C:\windows\HPGMHFV.exeC:\windows\HPGMHFV.exe115⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\CKK.exe.bat" "116⤵
-
C:\windows\CKK.exeC:\windows\CKK.exe117⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\RALUYAZ.exe.bat" "118⤵
-
C:\windows\RALUYAZ.exeC:\windows\RALUYAZ.exe119⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows\DTO.exe.bat" "120⤵
-
C:\windows\DTO.exeC:\windows\DTO.exe121⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-