Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 14:35
Behavioral task
behavioral1
Sample
ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe
-
Size
229KB
-
MD5
ef58f79ecc93e01cae265a04efdc1410
-
SHA1
4af73eddcf30598e8553f790cf27fa5bd82acc9d
-
SHA256
3a6b635e79042be0c2300abbcfbefa8b1b095f3a4c3cf7982ccc9885b7b98c78
-
SHA512
75ca76dff6b2a2c575da521652d3a384f2d572f257dd87e0f86b159c78ed9d5cd6accb6d32935fa6615d8d4ac56432b181a265f93956388a718fbf612848dfb9
-
SSDEEP
6144:HIvThqCMD7Dq/271+HZ/pvkym/89bYEwPhCKvav:ovThqVL7AIfFfvav
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gefmcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaqlbmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiockd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmhdph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dflmpebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmjlhfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdfgilj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhglop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbmfkkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkebolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Panaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjppfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbchkime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Honnki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkpakq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piieicgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanibhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkaoemjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppipdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcgqbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfgebjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllnnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felekcop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kimlqfeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjngbihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlablaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmppehkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piieicgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000014e3d-5.dat family_berbew behavioral1/files/0x0009000000015a2d-20.dat family_berbew behavioral1/files/0x0007000000015c0d-34.dat family_berbew behavioral1/files/0x0009000000015c3c-47.dat family_berbew behavioral1/files/0x00170000000155d9-60.dat family_berbew behavioral1/files/0x0006000000016d84-73.dat family_berbew behavioral1/files/0x0006000000016e56-87.dat family_berbew behavioral1/files/0x0006000000017090-108.dat family_berbew behavioral1/files/0x0005000000018698-115.dat family_berbew behavioral1/files/0x0006000000018ae2-130.dat family_berbew behavioral1/files/0x0006000000018b15-143.dat family_berbew behavioral1/files/0x0006000000018b37-159.dat family_berbew behavioral1/files/0x0006000000018b4a-170.dat family_berbew behavioral1/files/0x0006000000018b73-186.dat family_berbew behavioral1/files/0x0006000000018ba2-198.dat family_berbew behavioral1/files/0x00050000000192c9-212.dat family_berbew behavioral1/files/0x000500000001931b-226.dat family_berbew behavioral1/files/0x0005000000019368-236.dat family_berbew behavioral1/files/0x000500000001939b-248.dat family_berbew behavioral1/files/0x0005000000019410-257.dat family_berbew behavioral1/files/0x000500000001946f-270.dat family_berbew behavioral1/files/0x0005000000019485-279.dat family_berbew behavioral1/files/0x00040000000194d6-290.dat family_berbew behavioral1/files/0x00040000000194dc-301.dat family_berbew behavioral1/files/0x00050000000194ea-311.dat family_berbew behavioral1/files/0x00050000000194ef-323.dat family_berbew behavioral1/files/0x00050000000194f4-334.dat family_berbew behavioral1/files/0x0005000000019521-345.dat family_berbew behavioral1/files/0x0005000000019570-355.dat family_berbew behavioral1/files/0x000500000001959e-366.dat family_berbew behavioral1/files/0x00050000000195a4-377.dat family_berbew behavioral1/files/0x00050000000195a9-399.dat family_berbew behavioral1/files/0x00050000000195a7-388.dat family_berbew behavioral1/files/0x00050000000195ba-410.dat family_berbew behavioral1/files/0x0005000000019646-422.dat family_berbew behavioral1/memory/2192-430-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x000500000001996e-434.dat family_berbew behavioral1/files/0x0005000000019bd7-446.dat family_berbew behavioral1/files/0x0005000000019bef-458.dat family_berbew behavioral1/files/0x0005000000019ce6-470.dat family_berbew behavioral1/files/0x0005000000019d59-478.dat family_berbew behavioral1/files/0x0005000000019f60-490.dat family_berbew behavioral1/files/0x000500000001a013-501.dat family_berbew behavioral1/files/0x000500000001a2d0-512.dat family_berbew behavioral1/files/0x000500000001a3c2-523.dat family_berbew behavioral1/files/0x000500000001a3c8-534.dat family_berbew behavioral1/files/0x000500000001a3d4-543.dat family_berbew behavioral1/files/0x000500000001a429-557.dat family_berbew behavioral1/files/0x000500000001a431-568.dat family_berbew behavioral1/files/0x000500000001a43b-580.dat family_berbew behavioral1/files/0x000500000001a443-587.dat family_berbew behavioral1/files/0x000500000001a447-599.dat family_berbew behavioral1/files/0x000500000001a44b-607.dat family_berbew behavioral1/files/0x000500000001a44f-621.dat family_berbew behavioral1/files/0x000500000001a453-633.dat family_berbew behavioral1/files/0x000500000001a457-645.dat family_berbew behavioral1/files/0x000500000001a45b-656.dat family_berbew behavioral1/files/0x000500000001a45f-667.dat family_berbew behavioral1/files/0x000500000001a463-678.dat family_berbew behavioral1/files/0x000500000001a467-694.dat family_berbew behavioral1/files/0x000500000001a46c-705.dat family_berbew behavioral1/files/0x000500000001a470-718.dat family_berbew behavioral1/files/0x000500000001a474-731.dat family_berbew behavioral1/files/0x000500000001a479-744.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2632 Fbmfkkbm.exe 2688 Fmegncpp.exe 2572 Gcheib32.exe 2368 Gpabcbdb.exe 2388 Gildahhp.exe 2412 Hmjlhfof.exe 2772 Hhejnc32.exe 1664 Hnbopmnm.exe 1704 Iphecepe.exe 324 Ifdjeoep.exe 2328 Jhjphfgi.exe 908 Jlhhndno.exe 2944 Jkpbdq32.exe 1580 Kcmcoblm.exe 336 Kcamjb32.exe 2456 Kbigpn32.exe 2144 Ljghjpfe.exe 400 Ldoimh32.exe 2028 Lgoboc32.exe 1676 Lokgcf32.exe 2732 Mkddnf32.exe 1616 Mhonngce.exe 844 Nfdkoc32.exe 2288 Nhdhif32.exe 2012 Ndkhngdd.exe 1948 Nlfmbibo.exe 2816 Npdfhhhe.exe 1608 Opfbngfb.exe 2784 Olmcchlg.exe 2588 Olophhjd.exe 2640 Ohfqmi32.exe 2648 Oijjka32.exe 2532 Pcbncfjd.exe 2192 Pljcllqe.exe 2188 Pphkbj32.exe 928 Phcpgm32.exe 2668 Panaeb32.exe 1428 Pldebkhj.exe 1796 Qhmcmk32.exe 1736 Adcdbl32.exe 1624 Anlhkbhq.exe 1576 Ajcipc32.exe 812 Ackmih32.exe 2224 Amcbankf.exe 1596 Aflfjc32.exe 1136 Bbbgod32.exe 1088 Bimoloog.exe 2932 Bbeded32.exe 2104 Bbgqjdce.exe 1140 Bgdibkam.exe 2076 Behilopf.exe 880 Bmcnqama.exe 2692 Bcmfmlen.exe 2856 Cpdgbm32.exe 2452 Cillkbac.exe 2912 Cfpldf32.exe 2660 Cpiqmlfm.exe 2476 Cpkmcldj.exe 2376 Cbiiog32.exe 1012 Clbnhmjo.exe 2820 Dldkmlhl.exe 2680 Daacecfc.exe 2040 Dlfgcl32.exe 1648 Dhmhhmlm.exe -
Loads dropped DLL 64 IoCs
pid Process 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 2632 Fbmfkkbm.exe 2632 Fbmfkkbm.exe 2688 Fmegncpp.exe 2688 Fmegncpp.exe 2572 Gcheib32.exe 2572 Gcheib32.exe 2368 Gpabcbdb.exe 2368 Gpabcbdb.exe 2388 Gildahhp.exe 2388 Gildahhp.exe 2412 Hmjlhfof.exe 2412 Hmjlhfof.exe 2772 Hhejnc32.exe 2772 Hhejnc32.exe 1664 Hnbopmnm.exe 1664 Hnbopmnm.exe 1704 Iphecepe.exe 1704 Iphecepe.exe 324 Ifdjeoep.exe 324 Ifdjeoep.exe 2328 Jhjphfgi.exe 2328 Jhjphfgi.exe 908 Jlhhndno.exe 908 Jlhhndno.exe 2944 Jkpbdq32.exe 2944 Jkpbdq32.exe 1580 Kcmcoblm.exe 1580 Kcmcoblm.exe 336 Kcamjb32.exe 336 Kcamjb32.exe 2456 Kbigpn32.exe 2456 Kbigpn32.exe 2144 Ljghjpfe.exe 2144 Ljghjpfe.exe 400 Ldoimh32.exe 400 Ldoimh32.exe 2028 Lgoboc32.exe 2028 Lgoboc32.exe 1676 Lokgcf32.exe 1676 Lokgcf32.exe 2732 Mkddnf32.exe 2732 Mkddnf32.exe 1616 Mhonngce.exe 1616 Mhonngce.exe 844 Nfdkoc32.exe 844 Nfdkoc32.exe 2288 Nhdhif32.exe 2288 Nhdhif32.exe 2012 Ndkhngdd.exe 2012 Ndkhngdd.exe 1948 Nlfmbibo.exe 1948 Nlfmbibo.exe 2816 Npdfhhhe.exe 2816 Npdfhhhe.exe 1608 Opfbngfb.exe 1608 Opfbngfb.exe 2784 Olmcchlg.exe 2784 Olmcchlg.exe 2588 Olophhjd.exe 2588 Olophhjd.exe 2640 Ohfqmi32.exe 2640 Ohfqmi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Blniinac.exe Bbchkime.exe File created C:\Windows\SysWOW64\Godhpb32.dll Dcdfdi32.exe File opened for modification C:\Windows\SysWOW64\Kcamjb32.exe Kcmcoblm.exe File opened for modification C:\Windows\SysWOW64\Oijjka32.exe Ohfqmi32.exe File created C:\Windows\SysWOW64\Eacljf32.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Kblikadd.dll Pplaki32.exe File created C:\Windows\SysWOW64\Hdefnjkj.exe Hoimecmb.exe File opened for modification C:\Windows\SysWOW64\Fhhbif32.exe Fpmned32.exe File created C:\Windows\SysWOW64\Jnenhj32.dll Jnlbgq32.exe File created C:\Windows\SysWOW64\Fdnoim32.dll Mlmoilni.exe File created C:\Windows\SysWOW64\Pajeanhf.exe Pgaahh32.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hmalldcn.exe File opened for modification C:\Windows\SysWOW64\Felekcop.exe Fldabn32.exe File created C:\Windows\SysWOW64\Gjffnf32.dll Kcecbq32.exe File created C:\Windows\SysWOW64\Aiffeloi.dll Pjbjjc32.exe File created C:\Windows\SysWOW64\Kflcok32.exe Kihbfg32.exe File opened for modification C:\Windows\SysWOW64\Mcnbhb32.exe Mclebc32.exe File created C:\Windows\SysWOW64\Ffakjm32.dll Kdnkdmec.exe File opened for modification C:\Windows\SysWOW64\Piieicgl.exe Oekmceaf.exe File opened for modification C:\Windows\SysWOW64\Fabmmejd.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Gdnipekj.dll Ofiopaap.exe File opened for modification C:\Windows\SysWOW64\Bapfhg32.exe Agkako32.exe File opened for modification C:\Windows\SysWOW64\Bbeded32.exe Bimoloog.exe File created C:\Windows\SysWOW64\Mcohhj32.dll Lplbjm32.exe File created C:\Windows\SysWOW64\Pppgjnfc.dll Ojkeah32.exe File created C:\Windows\SysWOW64\Epgfma32.dll Fmkilb32.exe File opened for modification C:\Windows\SysWOW64\Kocmim32.exe Khielcfh.exe File created C:\Windows\SysWOW64\Aiodpjni.dll Jjnhhjjk.exe File opened for modification C:\Windows\SysWOW64\Fpmpnmck.exe Fjqhef32.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Mmmmil32.dll Aanibhoh.exe File opened for modification C:\Windows\SysWOW64\Pnnmeh32.exe Ppipdl32.exe File created C:\Windows\SysWOW64\Hdpehd32.exe Hmfmkjdf.exe File created C:\Windows\SysWOW64\Hjddaj32.exe Hlpchfdi.exe File created C:\Windows\SysWOW64\Lgchgb32.exe Lbfook32.exe File created C:\Windows\SysWOW64\Ibkhnd32.dll Pmkhjncg.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Dcokpa32.exe Djgfgkbo.exe File created C:\Windows\SysWOW64\Kihbfg32.exe Kopnma32.exe File created C:\Windows\SysWOW64\Pphkbj32.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Ecnpdnho.exe Eqngcc32.exe File opened for modification C:\Windows\SysWOW64\Jneoojeb.exe Jhhfgcgj.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jbefcm32.exe File created C:\Windows\SysWOW64\Hdpcokdo.exe Gekfnoog.exe File created C:\Windows\SysWOW64\Jemffb32.dll Hipkfkgh.exe File created C:\Windows\SysWOW64\Aopnanlf.dll Hdeoccgn.exe File created C:\Windows\SysWOW64\Fmeefhhi.dll Mmbnam32.exe File opened for modification C:\Windows\SysWOW64\Pdbmfb32.exe Pfnmmn32.exe File created C:\Windows\SysWOW64\Kncinl32.dll Behilopf.exe File opened for modification C:\Windows\SysWOW64\Lgngbmjp.exe Lnecigcp.exe File created C:\Windows\SysWOW64\Ljplkonl.exe Kpjhnfof.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Cdfgmnpa.exe Ckmbdh32.exe File opened for modification C:\Windows\SysWOW64\Mkddnf32.exe Lokgcf32.exe File created C:\Windows\SysWOW64\Ejobie32.dll Cpkmcldj.exe File created C:\Windows\SysWOW64\Ichnpa32.dll Gjngoj32.exe File opened for modification C:\Windows\SysWOW64\Jaonji32.exe Jhfjadim.exe File created C:\Windows\SysWOW64\Ojefcohi.dll Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Ieibdnnp.exe Igebkiof.exe File created C:\Windows\SysWOW64\Jingpl32.dll Leikbd32.exe File created C:\Windows\SysWOW64\Nelafe32.dll Befnbd32.exe File created C:\Windows\SysWOW64\Oneqchee.dll Hkbmil32.exe File created C:\Windows\SysWOW64\Nonlfc32.dll Jlhhndno.exe File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe Abpcooea.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4984 4992 WerFault.exe 675 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingkdeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmhbk32.dll" Ghidcceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhejnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdigoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpcokdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hennhl32.dll" Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcidje32.dll" Hblgnkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnkgi32.dll" Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndlpdbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckecpjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpllfe32.dll" Odnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igphon32.dll" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dofnnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agkako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobffp32.dll" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obaqda32.dll" Dhleaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgdibkam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfljfho.dll" Fbfjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcdfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnppof32.dll" Djfdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggegqe32.dll" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlkdf32.dll" Lbkaoalg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jeaahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefcfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhmofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmglihnc.dll" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgfma32.dll" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdngaom.dll" Jhhfgcgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfieigio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocefpnom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfnae32.dll" Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djgfgkbo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2632 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2632 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2632 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2632 2764 ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe 28 PID 2632 wrote to memory of 2688 2632 Fbmfkkbm.exe 29 PID 2632 wrote to memory of 2688 2632 Fbmfkkbm.exe 29 PID 2632 wrote to memory of 2688 2632 Fbmfkkbm.exe 29 PID 2632 wrote to memory of 2688 2632 Fbmfkkbm.exe 29 PID 2688 wrote to memory of 2572 2688 Fmegncpp.exe 30 PID 2688 wrote to memory of 2572 2688 Fmegncpp.exe 30 PID 2688 wrote to memory of 2572 2688 Fmegncpp.exe 30 PID 2688 wrote to memory of 2572 2688 Fmegncpp.exe 30 PID 2572 wrote to memory of 2368 2572 Gcheib32.exe 31 PID 2572 wrote to memory of 2368 2572 Gcheib32.exe 31 PID 2572 wrote to memory of 2368 2572 Gcheib32.exe 31 PID 2572 wrote to memory of 2368 2572 Gcheib32.exe 31 PID 2368 wrote to memory of 2388 2368 Gpabcbdb.exe 32 PID 2368 wrote to memory of 2388 2368 Gpabcbdb.exe 32 PID 2368 wrote to memory of 2388 2368 Gpabcbdb.exe 32 PID 2368 wrote to memory of 2388 2368 Gpabcbdb.exe 32 PID 2388 wrote to memory of 2412 2388 Gildahhp.exe 33 PID 2388 wrote to memory of 2412 2388 Gildahhp.exe 33 PID 2388 wrote to memory of 2412 2388 Gildahhp.exe 33 PID 2388 wrote to memory of 2412 2388 Gildahhp.exe 33 PID 2412 wrote to memory of 2772 2412 Hmjlhfof.exe 34 PID 2412 wrote to memory of 2772 2412 Hmjlhfof.exe 34 PID 2412 wrote to memory of 2772 2412 Hmjlhfof.exe 34 PID 2412 wrote to memory of 2772 2412 Hmjlhfof.exe 34 PID 2772 wrote to memory of 1664 2772 Hhejnc32.exe 35 PID 2772 wrote to memory of 1664 2772 Hhejnc32.exe 35 PID 2772 wrote to memory of 1664 2772 Hhejnc32.exe 35 PID 2772 wrote to memory of 1664 2772 Hhejnc32.exe 35 PID 1664 wrote to memory of 1704 1664 Hnbopmnm.exe 36 PID 1664 wrote to memory of 1704 1664 Hnbopmnm.exe 36 PID 1664 wrote to memory of 1704 1664 Hnbopmnm.exe 36 PID 1664 wrote to memory of 1704 1664 Hnbopmnm.exe 36 PID 1704 wrote to memory of 324 1704 Iphecepe.exe 37 PID 1704 wrote to memory of 324 1704 Iphecepe.exe 37 PID 1704 wrote to memory of 324 1704 Iphecepe.exe 37 PID 1704 wrote to memory of 324 1704 Iphecepe.exe 37 PID 324 wrote to memory of 2328 324 Ifdjeoep.exe 38 PID 324 wrote to memory of 2328 324 Ifdjeoep.exe 38 PID 324 wrote to memory of 2328 324 Ifdjeoep.exe 38 PID 324 wrote to memory of 2328 324 Ifdjeoep.exe 38 PID 2328 wrote to memory of 908 2328 Jhjphfgi.exe 39 PID 2328 wrote to memory of 908 2328 Jhjphfgi.exe 39 PID 2328 wrote to memory of 908 2328 Jhjphfgi.exe 39 PID 2328 wrote to memory of 908 2328 Jhjphfgi.exe 39 PID 908 wrote to memory of 2944 908 Jlhhndno.exe 40 PID 908 wrote to memory of 2944 908 Jlhhndno.exe 40 PID 908 wrote to memory of 2944 908 Jlhhndno.exe 40 PID 908 wrote to memory of 2944 908 Jlhhndno.exe 40 PID 2944 wrote to memory of 1580 2944 Jkpbdq32.exe 41 PID 2944 wrote to memory of 1580 2944 Jkpbdq32.exe 41 PID 2944 wrote to memory of 1580 2944 Jkpbdq32.exe 41 PID 2944 wrote to memory of 1580 2944 Jkpbdq32.exe 41 PID 1580 wrote to memory of 336 1580 Kcmcoblm.exe 42 PID 1580 wrote to memory of 336 1580 Kcmcoblm.exe 42 PID 1580 wrote to memory of 336 1580 Kcmcoblm.exe 42 PID 1580 wrote to memory of 336 1580 Kcmcoblm.exe 42 PID 336 wrote to memory of 2456 336 Kcamjb32.exe 43 PID 336 wrote to memory of 2456 336 Kcamjb32.exe 43 PID 336 wrote to memory of 2456 336 Kcamjb32.exe 43 PID 336 wrote to memory of 2456 336 Kcamjb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ef58f79ecc93e01cae265a04efdc1410_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe34⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe37⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe40⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe41⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe42⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe43⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe45⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe46⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe47⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe49⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe50⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe53⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe54⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe55⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe56⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe57⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe58⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe60⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe61⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe64⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe66⤵PID:1216
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe67⤵PID:1344
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe68⤵PID:1244
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe69⤵PID:1552
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe70⤵PID:1700
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe71⤵
- Drops file in System32 directory
PID:1376 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:560 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe74⤵PID:2876
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe75⤵PID:3052
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe76⤵PID:2604
-
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe77⤵PID:2596
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe78⤵PID:2404
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe80⤵PID:2428
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe81⤵PID:1720
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe82⤵PID:2084
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe83⤵PID:1328
-
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe84⤵PID:1312
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe85⤵PID:1780
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe86⤵PID:1104
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe87⤵PID:980
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe88⤵PID:1296
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe89⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe90⤵PID:2300
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe91⤵PID:2308
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe93⤵PID:2740
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe94⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe95⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe96⤵PID:2472
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe97⤵PID:2436
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe98⤵PID:1804
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe100⤵PID:1740
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe101⤵PID:808
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe102⤵
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe103⤵PID:2208
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe104⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe105⤵
- Modifies registry class
PID:792 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe106⤵PID:1200
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe107⤵PID:1572
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe108⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe109⤵PID:2516
-
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe110⤵PID:2496
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe111⤵PID:1168
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe112⤵PID:2736
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe113⤵PID:312
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe115⤵PID:1336
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe116⤵PID:580
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe117⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe118⤵PID:2996
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe119⤵PID:2320
-
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe120⤵PID:2284
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-