Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
304s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2024, 21:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Resource
win7-20240611-en
windows7-x64
11 signatures
600 seconds
Behavioral task
behavioral2
Sample
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
13 signatures
600 seconds
General
-
Target
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe
-
Size
104KB
-
MD5
2c95b2b9ba80bd2eeb26422c6c21c500
-
SHA1
87f3cdcbdf3cf0b72a879447cea0a644b51b6b03
-
SHA256
02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990
-
SHA512
7d24812f5fb9e55f9698744537cff7ca2b4ed5c93c8cc2bf335ce1a0a946e306985b8b7b2be8267d527974d2b9971a4d7ddb9e425db04ff624f2dcbcf8bd3413
-
SSDEEP
3072:oGCo6a+dYpdmtAtL3A1fJe5Jx7cEGrhkngpDvchkqbAIQS:pCpaQYPm8L3A1fc5Jx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfcpin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaepqjpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobcpmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkoggkjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbbkaako.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ibqpimpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nebdoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qceiaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmiciaaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eofbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flnlhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klngdpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Llcpoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcbpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iemppiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Likjcbkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjoankoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afoeiklb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhhdil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fojlngce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icifbang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imdgqfbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcioiood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Onjegled.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmannhhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnnjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gdqgmmjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpclbfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qecppkdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eolpmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpebpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlcifmbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdqba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmjgejj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbdgfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gomakdcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkmefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcebhoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbdbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncfdie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofeilobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnlaml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenamdem.exe -
Executes dropped EXE 64 IoCs
pid Process 4656 Pclneicb.exe 4892 Pbmncp32.exe 2408 Pjhbgb32.exe 4484 Pbpjhp32.exe 336 Pjkombfj.exe 4088 Peqcjkfp.exe 1368 Pjmlbbdg.exe 4924 Qecppkdm.exe 5064 Qjpiha32.exe 2404 Qeemej32.exe 624 Qloebdig.exe 5012 Qalnjkgo.exe 1572 Alabgd32.exe 3484 Aanjpk32.exe 720 Ajfoiqll.exe 2180 Aelcfilb.exe 896 Alfkbc32.exe 4604 Abpcon32.exe 3700 Ahmlgd32.exe 4676 Aaepqjpd.exe 784 Ahoimd32.exe 1080 Bahmfj32.exe 2552 Blmacb32.exe 3464 Bajjli32.exe 5056 Bdhfhe32.exe 4848 Bnnjen32.exe 2592 Behbag32.exe 448 Bhfonc32.exe 4356 Bopgjmhe.exe 1016 Bhikcb32.exe 4996 Bobcpmfc.exe 3092 Bbnpqk32.exe 3288 Bhkhibmc.exe 3460 Bkidenlg.exe 4120 Ceoibflm.exe 4056 Chmeobkq.exe 4252 Cliaoq32.exe 872 Cafigg32.exe 4652 Cddecc32.exe 1708 Chpada32.exe 4436 Cknnpm32.exe 2204 Cbefaj32.exe 4912 Cecbmf32.exe 1624 Clnjjpod.exe 4980 Colffknh.exe 3396 Cdiooblp.exe 4620 Clpgpp32.exe 2576 Cehkhecb.exe 3948 Chghdqbf.exe 836 Ckedalaj.exe 1548 Dbllbibl.exe 4152 Dhidjpqc.exe 516 Dkgqfl32.exe 4308 Dboigi32.exe 1564 Dhkapp32.exe 696 Doeiljfn.exe 3864 Ddbbeade.exe 3068 Dkljak32.exe 812 Dafbne32.exe 3640 Dddojq32.exe 640 Dkoggkjo.exe 3252 Dedkdcie.exe 952 Dhbgqohi.exe 1948 Eolpmi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndhmhh32.exe Njciko32.exe File opened for modification C:\Windows\SysWOW64\Qeemej32.exe Qjpiha32.exe File created C:\Windows\SysWOW64\Cehkhecb.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Eolpmi32.exe File opened for modification C:\Windows\SysWOW64\Heocnk32.exe Hcmgfbhd.exe File created C:\Windows\SysWOW64\Eeiakn32.dll Bebblb32.exe File created C:\Windows\SysWOW64\Paihpaak.dll Flnlhk32.exe File created C:\Windows\SysWOW64\Hmcojh32.exe Helfik32.exe File opened for modification C:\Windows\SysWOW64\Imoneg32.exe Iehfdi32.exe File opened for modification C:\Windows\SysWOW64\Chmeobkq.exe Ceoibflm.exe File created C:\Windows\SysWOW64\Fcneih32.dll Gfpcgpae.exe File created C:\Windows\SysWOW64\Ldjhpl32.exe Llcpoo32.exe File created C:\Windows\SysWOW64\Mchqfb32.dll Mdjagjco.exe File created C:\Windows\SysWOW64\Benlnbhb.dll Lfhdlh32.exe File created C:\Windows\SysWOW64\Bmbplc32.exe Bnpppgdj.exe File opened for modification C:\Windows\SysWOW64\Pjhbgb32.exe Pbmncp32.exe File created C:\Windows\SysWOW64\Cdiooblp.exe Colffknh.exe File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Cdcoim32.exe File opened for modification C:\Windows\SysWOW64\Dhbgqohi.exe Dedkdcie.exe File opened for modification C:\Windows\SysWOW64\Pclneicb.exe 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hhkephlb.dll Fhcpgmjf.exe File created C:\Windows\SysWOW64\Knkkfojb.dll Ndokbi32.exe File created C:\Windows\SysWOW64\Deeiam32.dll Pflplnlg.exe File created C:\Windows\SysWOW64\Mlcifmbl.exe Miemjaci.exe File created C:\Windows\SysWOW64\Bmpcfdmg.exe Bjagjhnc.exe File created C:\Windows\SysWOW64\Iqjikg32.dll Bmbplc32.exe File created C:\Windows\SysWOW64\Cegdnopg.exe Chcddk32.exe File created C:\Windows\SysWOW64\Eodpoobg.dll Bahmfj32.exe File opened for modification C:\Windows\SysWOW64\Febgea32.exe Fafkecel.exe File opened for modification C:\Windows\SysWOW64\Kmncnb32.exe Kefkme32.exe File opened for modification C:\Windows\SysWOW64\Lenamdem.exe Lboeaifi.exe File created C:\Windows\SysWOW64\Ocdqjceo.exe Oqfdnhfk.exe File opened for modification C:\Windows\SysWOW64\Hfifmnij.exe Hckjacjg.exe File created C:\Windows\SysWOW64\Pjeoglgc.exe Pggbkagp.exe File opened for modification C:\Windows\SysWOW64\Bobcpmfc.exe Bhikcb32.exe File created C:\Windows\SysWOW64\Jbjcolha.exe Jplfcpin.exe File opened for modification C:\Windows\SysWOW64\Llcpoo32.exe Lmppcbjd.exe File opened for modification C:\Windows\SysWOW64\Mgfqmfde.exe Mdhdajea.exe File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe Pdkcde32.exe File created C:\Windows\SysWOW64\Jbgkimpf.dll Dkgqfl32.exe File opened for modification C:\Windows\SysWOW64\Ghlcnk32.exe Gdqgmmjb.exe File opened for modification C:\Windows\SysWOW64\Jcioiood.exe Jmpgldhg.exe File opened for modification C:\Windows\SysWOW64\Ngdmod32.exe Ndfqbhia.exe File created C:\Windows\SysWOW64\Nekfmb32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Jpgmha32.exe Jmhale32.exe File created C:\Windows\SysWOW64\Ncnaabfm.dll Jplfcpin.exe File opened for modification C:\Windows\SysWOW64\Nepgjaeg.exe Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe Bebblb32.exe File created C:\Windows\SysWOW64\Elbmlmml.exe Eamhodmf.exe File opened for modification C:\Windows\SysWOW64\Dkljak32.exe Ddbbeade.exe File created C:\Windows\SysWOW64\Eifbkgjd.dll Jeaikh32.exe File created C:\Windows\SysWOW64\Lboeaifi.exe Ldleel32.exe File created C:\Windows\SysWOW64\Ipeomnnj.dll Fkciihgg.exe File created C:\Windows\SysWOW64\Mgcail32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Hjakkfbf.dll Iejcji32.exe File created C:\Windows\SysWOW64\Jedeph32.exe Jbeidl32.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cfbkeh32.exe File created C:\Windows\SysWOW64\Dhkapp32.exe Dboigi32.exe File opened for modification C:\Windows\SysWOW64\Mmnldp32.exe Mibpda32.exe File created C:\Windows\SysWOW64\Lffnijnj.dll Mdmnlj32.exe File created C:\Windows\SysWOW64\Djnkap32.dll Pjmehkqk.exe File created C:\Windows\SysWOW64\Hjjgia32.dll Qalnjkgo.exe File opened for modification C:\Windows\SysWOW64\Hfcicmqp.exe Hcdmga32.exe File opened for modification C:\Windows\SysWOW64\Iefioj32.exe Hfcicmqp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9332 9232 WerFault.exe 416 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641718492205323" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjakkfbf.dll" Iejcji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icifbang.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfcbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll" Mmnldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alabgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdqgmmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjagjhnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djgjlelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll" Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll" Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hecmijim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll" Llcpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llemdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjpdi32.dll" Pbpjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihpaak.dll" Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbkdpj32.dll" Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll" Pgllfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjpiha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajfoiqll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgmngglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll" Likjcbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlcifmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdofn32.dll" Clpgpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll" Liddbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bebblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" Bmbplc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cliaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmppcbjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iefioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" Odkjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qeemej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ednaqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblabf.dll" Hmfkoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cfbkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qecppkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" Ndaggimg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfhlejnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opdghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll" Pnlaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll" Agglboim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmlhii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ipdqba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gblngpbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chpada32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkkojgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Collmj32.dll" Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnecbhin.dll" Mgagbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpijnqkp.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe Token: SeShutdownPrivilege 8160 chrome.exe Token: SeCreatePagefilePrivilege 8160 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe 8160 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 4656 1420 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 84 PID 1420 wrote to memory of 4656 1420 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 84 PID 1420 wrote to memory of 4656 1420 02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe 84 PID 4656 wrote to memory of 4892 4656 Pclneicb.exe 85 PID 4656 wrote to memory of 4892 4656 Pclneicb.exe 85 PID 4656 wrote to memory of 4892 4656 Pclneicb.exe 85 PID 4892 wrote to memory of 2408 4892 Pbmncp32.exe 86 PID 4892 wrote to memory of 2408 4892 Pbmncp32.exe 86 PID 4892 wrote to memory of 2408 4892 Pbmncp32.exe 86 PID 2408 wrote to memory of 4484 2408 Pjhbgb32.exe 87 PID 2408 wrote to memory of 4484 2408 Pjhbgb32.exe 87 PID 2408 wrote to memory of 4484 2408 Pjhbgb32.exe 87 PID 4484 wrote to memory of 336 4484 Pbpjhp32.exe 88 PID 4484 wrote to memory of 336 4484 Pbpjhp32.exe 88 PID 4484 wrote to memory of 336 4484 Pbpjhp32.exe 88 PID 336 wrote to memory of 4088 336 Pjkombfj.exe 89 PID 336 wrote to memory of 4088 336 Pjkombfj.exe 89 PID 336 wrote to memory of 4088 336 Pjkombfj.exe 89 PID 4088 wrote to memory of 1368 4088 Peqcjkfp.exe 90 PID 4088 wrote to memory of 1368 4088 Peqcjkfp.exe 90 PID 4088 wrote to memory of 1368 4088 Peqcjkfp.exe 90 PID 1368 wrote to memory of 4924 1368 Pjmlbbdg.exe 91 PID 1368 wrote to memory of 4924 1368 Pjmlbbdg.exe 91 PID 1368 wrote to memory of 4924 1368 Pjmlbbdg.exe 91 PID 4924 wrote to memory of 5064 4924 Qecppkdm.exe 92 PID 4924 wrote to memory of 5064 4924 Qecppkdm.exe 92 PID 4924 wrote to memory of 5064 4924 Qecppkdm.exe 92 PID 5064 wrote to memory of 2404 5064 Qjpiha32.exe 93 PID 5064 wrote to memory of 2404 5064 Qjpiha32.exe 93 PID 5064 wrote to memory of 2404 5064 Qjpiha32.exe 93 PID 2404 wrote to memory of 624 2404 Qeemej32.exe 94 PID 2404 wrote to memory of 624 2404 Qeemej32.exe 94 PID 2404 wrote to memory of 624 2404 Qeemej32.exe 94 PID 624 wrote to memory of 5012 624 Qloebdig.exe 96 PID 624 wrote to memory of 5012 624 Qloebdig.exe 96 PID 624 wrote to memory of 5012 624 Qloebdig.exe 96 PID 5012 wrote to memory of 1572 5012 Qalnjkgo.exe 97 PID 5012 wrote to memory of 1572 5012 Qalnjkgo.exe 97 PID 5012 wrote to memory of 1572 5012 Qalnjkgo.exe 97 PID 1572 wrote to memory of 3484 1572 Alabgd32.exe 98 PID 1572 wrote to memory of 3484 1572 Alabgd32.exe 98 PID 1572 wrote to memory of 3484 1572 Alabgd32.exe 98 PID 3484 wrote to memory of 720 3484 Aanjpk32.exe 99 PID 3484 wrote to memory of 720 3484 Aanjpk32.exe 99 PID 3484 wrote to memory of 720 3484 Aanjpk32.exe 99 PID 720 wrote to memory of 2180 720 Ajfoiqll.exe 100 PID 720 wrote to memory of 2180 720 Ajfoiqll.exe 100 PID 720 wrote to memory of 2180 720 Ajfoiqll.exe 100 PID 2180 wrote to memory of 896 2180 Aelcfilb.exe 102 PID 2180 wrote to memory of 896 2180 Aelcfilb.exe 102 PID 2180 wrote to memory of 896 2180 Aelcfilb.exe 102 PID 896 wrote to memory of 4604 896 Alfkbc32.exe 103 PID 896 wrote to memory of 4604 896 Alfkbc32.exe 103 PID 896 wrote to memory of 4604 896 Alfkbc32.exe 103 PID 4604 wrote to memory of 3700 4604 Abpcon32.exe 104 PID 4604 wrote to memory of 3700 4604 Abpcon32.exe 104 PID 4604 wrote to memory of 3700 4604 Abpcon32.exe 104 PID 3700 wrote to memory of 4676 3700 Ahmlgd32.exe 105 PID 3700 wrote to memory of 4676 3700 Ahmlgd32.exe 105 PID 3700 wrote to memory of 4676 3700 Ahmlgd32.exe 105 PID 4676 wrote to memory of 784 4676 Aaepqjpd.exe 106 PID 4676 wrote to memory of 784 4676 Aaepqjpd.exe 106 PID 4676 wrote to memory of 784 4676 Aaepqjpd.exe 106 PID 784 wrote to memory of 1080 784 Ahoimd32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02f245d92b6b892cb62f71a525ea42732322db439f02a870b13a1ba46cc0e990_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe24⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe25⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe26⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe28⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe29⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe30⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe33⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe34⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe35⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4120 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe37⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe39⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe42⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe43⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe44⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe45⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe47⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4620 -
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe49⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe50⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe51⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe52⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe53⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:516 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe56⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe57⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3864 -
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe59⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe60⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe61⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe64⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe66⤵PID:4684
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe67⤵PID:4432
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe68⤵PID:2720
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe69⤵
- Drops file in System32 directory
PID:4660 -
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe70⤵PID:4540
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe71⤵PID:4860
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe72⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe73⤵PID:2236
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe74⤵PID:924
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe75⤵PID:4768
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe76⤵
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe78⤵PID:4636
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe79⤵
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe80⤵PID:4856
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe81⤵PID:1372
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe83⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe85⤵PID:2824
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe86⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe87⤵PID:628
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe88⤵PID:2428
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe89⤵PID:5148
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe90⤵PID:5192
-
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe91⤵PID:5236
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5320 -
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe94⤵PID:5368
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe95⤵
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Gbdgfa32.exeC:\Windows\system32\Gbdgfa32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe97⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe98⤵PID:5544
-
C:\Windows\SysWOW64\Gkmlofol.exeC:\Windows\system32\Gkmlofol.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe100⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe101⤵PID:5672
-
C:\Windows\SysWOW64\Gdeqhl32.exeC:\Windows\system32\Gdeqhl32.exe102⤵
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe103⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe104⤵PID:5812
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe105⤵PID:5856
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe106⤵PID:5900
-
C:\Windows\SysWOW64\Gkaejf32.exeC:\Windows\system32\Gkaejf32.exe107⤵PID:5940
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5988 -
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe109⤵
- Modifies registry class
PID:6032 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe110⤵PID:6076
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe111⤵PID:6120
-
C:\Windows\SysWOW64\Hopnqdan.exeC:\Windows\system32\Hopnqdan.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe113⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe114⤵PID:5260
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe115⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe116⤵PID:5396
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe117⤵PID:5488
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe118⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe120⤵
- Modifies registry class
PID:5660 -
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe121⤵PID:5712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-