Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 21:44
Behavioral task
behavioral1
Sample
066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe
-
Size
227KB
-
MD5
066b980647f7f526bff743cc67a12c10
-
SHA1
b2ab174539c63889a3719861fa93fd4561256de9
-
SHA256
de4030a6fc518bf9c5766bae1c334b129b0dc2ec1aa979c9df7d1f99f446f9e3
-
SHA512
8903b57772657efe59eda08c042b6d3ff8f2967f5c6727b33d31df1b2e781be3e5feb423beab2d6995ac1244499660e661eb76f7315af43029f18cb6631ab3b3
-
SSDEEP
3072:IIbktLcn0Zw/EeykpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:otL/Z2Km7U5j2QE2+g24Id2jFHu
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcfdgiid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klqfhbbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcolba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Banepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiedjneg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnneja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebbgid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njkfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilpeooq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqcagfim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oghlgdgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnefdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhmepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncoamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqjepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnbkinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmkio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckace32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkdmcdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgbdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqeidnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjbgaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pelipl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebpkce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kakbjibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Magnek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcahhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbbnchb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmodopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Beehencq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbhnaho.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000013f2c-5.dat family_berbew behavioral1/files/0x00070000000144f1-18.dat family_berbew behavioral1/files/0x000700000001459d-38.dat family_berbew behavioral1/files/0x0008000000014700-51.dat family_berbew behavioral1/files/0x000600000001565a-58.dat family_berbew behavioral1/files/0x0006000000015b50-86.dat family_berbew behavioral1/files/0x0006000000015c9a-108.dat family_berbew behavioral1/files/0x0006000000015cb1-117.dat family_berbew behavioral1/files/0x0006000000015d0a-158.dat family_berbew behavioral1/files/0x0006000000015d39-179.dat family_berbew behavioral1/files/0x0006000000015d61-193.dat family_berbew behavioral1/files/0x0006000000015fa6-218.dat family_berbew behavioral1/files/0x0006000000016a28-267.dat family_berbew behavioral1/files/0x0035000000014367-303.dat family_berbew behavioral1/files/0x0006000000016d10-336.dat family_berbew behavioral1/files/0x0006000000016d21-347.dat family_berbew behavioral1/files/0x0006000000016d85-367.dat family_berbew behavioral1/files/0x000500000001920f-500.dat family_berbew behavioral1/files/0x0005000000019257-519.dat family_berbew behavioral1/files/0x0005000000019369-540.dat family_berbew behavioral1/files/0x00050000000193bb-562.dat family_berbew behavioral1/files/0x0005000000019414-583.dat family_berbew behavioral1/files/0x0005000000019607-637.dat family_berbew behavioral1/files/0x000500000001960a-645.dat family_berbew behavioral1/files/0x0005000000019662-667.dat family_berbew behavioral1/files/0x0005000000019c27-691.dat family_berbew behavioral1/files/0x0005000000019c30-702.dat family_berbew behavioral1/files/0x0005000000019d13-712.dat family_berbew behavioral1/files/0x0005000000019f95-732.dat family_berbew behavioral1/files/0x000500000001a099-757.dat family_berbew behavioral1/files/0x000500000001a425-773.dat family_berbew behavioral1/files/0x000500000001a45f-792.dat family_berbew behavioral1/files/0x000500000001a4ba-851.dat family_berbew behavioral1/files/0x000500000001a4c4-873.dat family_berbew behavioral1/files/0x000500000001a4c8-885.dat family_berbew behavioral1/files/0x000500000001a4d4-917.dat family_berbew behavioral1/files/0x000500000001a4dd-937.dat family_berbew behavioral1/files/0x000500000001a4e5-959.dat family_berbew behavioral1/files/0x000500000001a4ee-979.dat family_berbew behavioral1/files/0x000500000001a513-1014.dat family_berbew behavioral1/files/0x000500000001a5cc-1023.dat family_berbew behavioral1/files/0x000500000001ad77-1035.dat family_berbew behavioral1/files/0x000500000001c85d-1188.dat family_berbew behavioral1/files/0x000500000001c855-1176.dat family_berbew behavioral1/files/0x000500000001c861-1198.dat family_berbew behavioral1/files/0x000500000001c88e-1218.dat family_berbew behavioral1/files/0x000500000001c8a6-1273.dat family_berbew behavioral1/files/0x000400000001c9cb-1333.dat family_berbew behavioral1/files/0x000400000001cb34-1380.dat family_berbew behavioral1/files/0x000400000001cb54-1400.dat family_berbew behavioral1/files/0x000400000001cb6b-1422.dat family_berbew behavioral1/files/0x000400000001cb89-1447.dat family_berbew behavioral1/files/0x000400000001cba2-1462.dat family_berbew behavioral1/files/0x000400000001cbcb-1480.dat family_berbew behavioral1/files/0x000400000001cbd5-1496.dat family_berbew behavioral1/files/0x000400000001cc6c-1535.dat family_berbew behavioral1/files/0x000400000001cc7e-1569.dat family_berbew behavioral1/files/0x000400000001cc8a-1593.dat family_berbew behavioral1/files/0x000400000001cd49-1625.dat family_berbew behavioral1/files/0x000400000001cd9f-1641.dat family_berbew behavioral1/files/0x000400000001ce3c-1648.dat family_berbew behavioral1/files/0x000400000001cf48-1674.dat family_berbew behavioral1/files/0x000400000001cf4c-1682.dat family_berbew behavioral1/files/0x000400000001cfd3-1714.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2704 Infdolgh.exe 2568 Jilhldfn.exe 2656 Jnhqdkde.exe 2080 Jebiaelb.exe 2468 Jinead32.exe 2492 Jklanp32.exe 1680 Jaiiff32.exe 1212 Jcgfbb32.exe 1596 Jakfkfpc.exe 1580 Jcjbgaog.exe 1608 Jfhocmnk.exe 844 Jnofejom.exe 2520 Jancafna.exe 2516 Jghknp32.exe 2040 Jjfgjk32.exe 1412 Kcolba32.exe 1752 Kmgpkfab.exe 2076 Kcahhq32.exe 1308 Kebepion.exe 1712 Kmimafop.exe 1548 Kllmmc32.exe 760 Kbfeimng.exe 3060 Kipnfged.exe 1644 Kpjfba32.exe 1488 Kakbjibo.exe 2944 Klqfhbbe.exe 2676 Kbkodl32.exe 2800 Kdlkld32.exe 2684 Llccmb32.exe 2476 Lkfciogm.exe 1360 Lekhfgfc.exe 1228 Lkhpnnej.exe 2408 Labhkh32.exe 1908 Limmokib.exe 2036 Lpgele32.exe 2460 Lganiohl.exe 2136 Lkmjin32.exe 2508 Lmkfei32.exe 1572 Llnfaffc.exe 2012 Ldenbcge.exe 2220 Lchnnp32.exe 2796 Lgdjnofi.exe 320 Lmnbkinf.exe 740 Llqcfe32.exe 1728 Loooca32.exe 1900 Mcjkcplm.exe 2280 Mgfgdn32.exe 2380 Midcpj32.exe 2976 Mhgclfje.exe 2748 Mpolmdkg.exe 2764 Mcmhiojk.exe 1068 Mekdekin.exe 1304 Mhjpaf32.exe 2164 Mlelaeqk.exe 2940 Mochnppo.exe 1180 Mcodno32.exe 2888 Menakj32.exe 1336 Mdqafgnf.exe 1408 Mhlmgf32.exe 1072 Mkjica32.exe 2236 Madapkmp.exe 2308 Mdcnlglc.exe 1240 Mhnjle32.exe 1660 Mohbip32.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 2704 Infdolgh.exe 2704 Infdolgh.exe 2568 Jilhldfn.exe 2568 Jilhldfn.exe 2656 Jnhqdkde.exe 2656 Jnhqdkde.exe 2080 Jebiaelb.exe 2080 Jebiaelb.exe 2468 Jinead32.exe 2468 Jinead32.exe 2492 Jklanp32.exe 2492 Jklanp32.exe 1680 Jaiiff32.exe 1680 Jaiiff32.exe 1212 Jcgfbb32.exe 1212 Jcgfbb32.exe 1596 Jakfkfpc.exe 1596 Jakfkfpc.exe 1580 Jcjbgaog.exe 1580 Jcjbgaog.exe 1608 Jfhocmnk.exe 1608 Jfhocmnk.exe 844 Jnofejom.exe 844 Jnofejom.exe 2520 Jancafna.exe 2520 Jancafna.exe 2516 Jghknp32.exe 2516 Jghknp32.exe 2040 Jjfgjk32.exe 2040 Jjfgjk32.exe 1412 Kcolba32.exe 1412 Kcolba32.exe 1752 Kmgpkfab.exe 1752 Kmgpkfab.exe 2076 Kcahhq32.exe 2076 Kcahhq32.exe 1308 Kebepion.exe 1308 Kebepion.exe 1712 Kmimafop.exe 1712 Kmimafop.exe 1548 Kllmmc32.exe 1548 Kllmmc32.exe 760 Kbfeimng.exe 760 Kbfeimng.exe 3060 Kipnfged.exe 3060 Kipnfged.exe 1644 Kpjfba32.exe 1644 Kpjfba32.exe 1488 Kakbjibo.exe 1488 Kakbjibo.exe 2944 Klqfhbbe.exe 2944 Klqfhbbe.exe 2676 Kbkodl32.exe 2676 Kbkodl32.exe 2800 Kdlkld32.exe 2800 Kdlkld32.exe 2684 Llccmb32.exe 2684 Llccmb32.exe 2476 Lkfciogm.exe 2476 Lkfciogm.exe 1360 Lekhfgfc.exe 1360 Lekhfgfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oomkin32.dll Pcfcmd32.exe File created C:\Windows\SysWOW64\Ckdjbh32.exe Claifkkf.exe File created C:\Windows\SysWOW64\Jdnaob32.dll Ioijbj32.exe File created C:\Windows\SysWOW64\Bifdjp32.dll Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Bhcdaibd.exe Beehencq.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Ggpimica.exe File created C:\Windows\SysWOW64\Nhnfkigh.exe Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Adhlaggp.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Egadpgfp.dll Fejgko32.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File created C:\Windows\SysWOW64\Jjfgjk32.exe Jghknp32.exe File created C:\Windows\SysWOW64\Obnqem32.exe Onbddoog.exe File created C:\Windows\SysWOW64\Gkddnkjk.dll Abmibdlh.exe File created C:\Windows\SysWOW64\Niifne32.dll Cobbhfhg.exe File opened for modification C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File opened for modification C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Ajbdna32.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Apajlhka.exe File created C:\Windows\SysWOW64\Fhkpmjln.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Ncolgf32.dll Hiqbndpb.exe File created C:\Windows\SysWOW64\Icaooali.dll Mdqafgnf.exe File created C:\Windows\SysWOW64\Ogjimd32.exe Ocomlemo.exe File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Elbepj32.dll Dmoipopd.exe File opened for modification C:\Windows\SysWOW64\Jcjbgaog.exe Jakfkfpc.exe File opened for modification C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Glaoalkh.exe Ghfbqn32.exe File created C:\Windows\SysWOW64\Ohgbmh32.dll Nkmbgdfl.exe File created C:\Windows\SysWOW64\Omloag32.exe Ohqbqhde.exe File created C:\Windows\SysWOW64\Ndejjf32.dll Aajpelhl.exe File opened for modification C:\Windows\SysWOW64\Abmibdlh.exe Apomfh32.exe File created C:\Windows\SysWOW64\Pdmaibnf.dll Clomqk32.exe File opened for modification C:\Windows\SysWOW64\Mdcnlglc.exe Madapkmp.exe File created C:\Windows\SysWOW64\Pndaof32.dll Ppamme32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Elmigj32.exe Efppoc32.exe File created C:\Windows\SysWOW64\Fiaeoang.exe Feeiob32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Hlfkgnmg.dll Jaiiff32.exe File created C:\Windows\SysWOW64\Mhnjle32.exe Mdcnlglc.exe File created C:\Windows\SysWOW64\Bnhgoq32.dll Nccjhafn.exe File created C:\Windows\SysWOW64\Dcfdgiid.exe Ddcdkl32.exe File created C:\Windows\SysWOW64\Fioija32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Ajphib32.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Pmqdkj32.exe Piehkkcl.exe File created C:\Windows\SysWOW64\Ikeogmlj.dll Bghabf32.exe File created C:\Windows\SysWOW64\Neeeodef.dll Ofdcjm32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Bnefdp32.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Bdooajdc.exe Bpcbqk32.exe File opened for modification C:\Windows\SysWOW64\Mkjica32.exe Mhlmgf32.exe File created C:\Windows\SysWOW64\Nofabc32.exe Nqcagfim.exe File created C:\Windows\SysWOW64\Jflmig32.dll Kipnfged.exe File opened for modification C:\Windows\SysWOW64\Nkaocp32.exe Ngfcca32.exe File created C:\Windows\SysWOW64\Hpkjko32.exe Hahjpbad.exe File opened for modification C:\Windows\SysWOW64\Fmcoja32.exe Fjdbnf32.exe File created C:\Windows\SysWOW64\Ojhcelga.dll Hkkalk32.exe File opened for modification C:\Windows\SysWOW64\Nccjhafn.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Oojknblb.exe Omloag32.exe File opened for modification C:\Windows\SysWOW64\Ofdcjm32.exe Obigjnkf.exe File opened for modification C:\Windows\SysWOW64\Cfeddafl.exe Cgbdhd32.exe -
Program crash 1 IoCs
pid pid_target Process 4392 4832 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbeccf32.dll" Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Loooca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdcnlglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompoljfn.dll" Obnqem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pndniaop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" Henidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jakfkfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhaff32.dll" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ffpmnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmlkpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" Geolea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdcdhpk.dll" Bhahlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" Gkkemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hgbebiao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfbhnaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjnmcd32.dll" Jnofejom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcolba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnbacbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajbdna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojiha32.dll" Qjknnbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cllpkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgdbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdooajdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll" Gpknlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkgkbipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kllmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flcnijgi.dll" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abmibdlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmaj32.dll" Mhjpaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcoccqf.dll" Ojficpfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmgpkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcecp32.dll" Apomfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" Eihfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ealnephf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gclcefmh.dll" Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcbaa32.dll" Dqelenlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdlkld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gooqhm32.dll" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnhkk32.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffkcbgek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkpnhgge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2704 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2704 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2704 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 28 PID 2100 wrote to memory of 2704 2100 066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe 28 PID 2704 wrote to memory of 2568 2704 Infdolgh.exe 29 PID 2704 wrote to memory of 2568 2704 Infdolgh.exe 29 PID 2704 wrote to memory of 2568 2704 Infdolgh.exe 29 PID 2704 wrote to memory of 2568 2704 Infdolgh.exe 29 PID 2568 wrote to memory of 2656 2568 Jilhldfn.exe 30 PID 2568 wrote to memory of 2656 2568 Jilhldfn.exe 30 PID 2568 wrote to memory of 2656 2568 Jilhldfn.exe 30 PID 2568 wrote to memory of 2656 2568 Jilhldfn.exe 30 PID 2656 wrote to memory of 2080 2656 Jnhqdkde.exe 31 PID 2656 wrote to memory of 2080 2656 Jnhqdkde.exe 31 PID 2656 wrote to memory of 2080 2656 Jnhqdkde.exe 31 PID 2656 wrote to memory of 2080 2656 Jnhqdkde.exe 31 PID 2080 wrote to memory of 2468 2080 Jebiaelb.exe 32 PID 2080 wrote to memory of 2468 2080 Jebiaelb.exe 32 PID 2080 wrote to memory of 2468 2080 Jebiaelb.exe 32 PID 2080 wrote to memory of 2468 2080 Jebiaelb.exe 32 PID 2468 wrote to memory of 2492 2468 Jinead32.exe 33 PID 2468 wrote to memory of 2492 2468 Jinead32.exe 33 PID 2468 wrote to memory of 2492 2468 Jinead32.exe 33 PID 2468 wrote to memory of 2492 2468 Jinead32.exe 33 PID 2492 wrote to memory of 1680 2492 Jklanp32.exe 34 PID 2492 wrote to memory of 1680 2492 Jklanp32.exe 34 PID 2492 wrote to memory of 1680 2492 Jklanp32.exe 34 PID 2492 wrote to memory of 1680 2492 Jklanp32.exe 34 PID 1680 wrote to memory of 1212 1680 Jaiiff32.exe 35 PID 1680 wrote to memory of 1212 1680 Jaiiff32.exe 35 PID 1680 wrote to memory of 1212 1680 Jaiiff32.exe 35 PID 1680 wrote to memory of 1212 1680 Jaiiff32.exe 35 PID 1212 wrote to memory of 1596 1212 Jcgfbb32.exe 36 PID 1212 wrote to memory of 1596 1212 Jcgfbb32.exe 36 PID 1212 wrote to memory of 1596 1212 Jcgfbb32.exe 36 PID 1212 wrote to memory of 1596 1212 Jcgfbb32.exe 36 PID 1596 wrote to memory of 1580 1596 Jakfkfpc.exe 37 PID 1596 wrote to memory of 1580 1596 Jakfkfpc.exe 37 PID 1596 wrote to memory of 1580 1596 Jakfkfpc.exe 37 PID 1596 wrote to memory of 1580 1596 Jakfkfpc.exe 37 PID 1580 wrote to memory of 1608 1580 Jcjbgaog.exe 38 PID 1580 wrote to memory of 1608 1580 Jcjbgaog.exe 38 PID 1580 wrote to memory of 1608 1580 Jcjbgaog.exe 38 PID 1580 wrote to memory of 1608 1580 Jcjbgaog.exe 38 PID 1608 wrote to memory of 844 1608 Jfhocmnk.exe 39 PID 1608 wrote to memory of 844 1608 Jfhocmnk.exe 39 PID 1608 wrote to memory of 844 1608 Jfhocmnk.exe 39 PID 1608 wrote to memory of 844 1608 Jfhocmnk.exe 39 PID 844 wrote to memory of 2520 844 Jnofejom.exe 40 PID 844 wrote to memory of 2520 844 Jnofejom.exe 40 PID 844 wrote to memory of 2520 844 Jnofejom.exe 40 PID 844 wrote to memory of 2520 844 Jnofejom.exe 40 PID 2520 wrote to memory of 2516 2520 Jancafna.exe 41 PID 2520 wrote to memory of 2516 2520 Jancafna.exe 41 PID 2520 wrote to memory of 2516 2520 Jancafna.exe 41 PID 2520 wrote to memory of 2516 2520 Jancafna.exe 41 PID 2516 wrote to memory of 2040 2516 Jghknp32.exe 42 PID 2516 wrote to memory of 2040 2516 Jghknp32.exe 42 PID 2516 wrote to memory of 2040 2516 Jghknp32.exe 42 PID 2516 wrote to memory of 2040 2516 Jghknp32.exe 42 PID 2040 wrote to memory of 1412 2040 Jjfgjk32.exe 43 PID 2040 wrote to memory of 1412 2040 Jjfgjk32.exe 43 PID 2040 wrote to memory of 1412 2040 Jjfgjk32.exe 43 PID 2040 wrote to memory of 1412 2040 Jjfgjk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\066b980647f7f526bff743cc67a12c10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe33⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe34⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe35⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe37⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe38⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe39⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe40⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe41⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe43⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe45⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe47⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe48⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe49⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe50⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe51⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe53⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe56⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe57⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe58⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe64⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe65⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe66⤵PID:2712
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe68⤵PID:2320
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe70⤵PID:2576
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe71⤵PID:2612
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe72⤵PID:1640
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe74⤵PID:1272
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe75⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe76⤵PID:1264
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe77⤵PID:1252
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe78⤵PID:1224
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe79⤵PID:2528
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe80⤵PID:1924
-
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe81⤵PID:1568
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe83⤵PID:1800
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe84⤵PID:900
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe85⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe87⤵PID:2232
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe89⤵PID:1708
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe91⤵PID:1476
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe94⤵PID:548
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe95⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe97⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe98⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe99⤵PID:2128
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe100⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe101⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe102⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe104⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe106⤵PID:2736
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe107⤵PID:328
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe108⤵PID:2024
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:688 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe110⤵PID:1468
-
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe111⤵PID:2504
-
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:288 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe113⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe114⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe115⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe116⤵PID:1604
-
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe117⤵PID:2596
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe118⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe119⤵PID:1592
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe120⤵PID:2016
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe121⤵
- Modifies registry class
PID:948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-