Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:27
Behavioral task
behavioral1
Sample
debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe
-
Size
199KB
-
MD5
debad8120c6d7432cc23776a0b4edbf0
-
SHA1
19de0ed2086a71cf773e766b8010eeeee9a10b3a
-
SHA256
ab62093dad3ab38d64ed9bbac8ed061a1b645562f6da26a5d28c19d45a0dca53
-
SHA512
add9b0ff9a38c80aeb975f6af98b8cb1a9d9d73db7fe997945c42768547d8604d89cc67d137d8936292005007d61d5d848a0139a944f4ac12bf2cfbe5b982972
-
SSDEEP
3072:hwGQjZaPIwm4HhBhv5S5DSCopsIm81+jq2832dp5Xp+7+10K03Rq/ghavVQXxFas:FNhv5SZSCZj81+jq4peBK034YOmFz1h
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njdpomfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphjgfqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhhqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgknheej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cciemedf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alenki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddagfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eilpeooq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klnjbbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llccmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madapkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfencna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bloqah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbkja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnfaffc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqqdag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdamqndn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaemjbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koocdnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbfopeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imeggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghphaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgobhcac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnfjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filldb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpjbad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllmmc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b0000000144ac-5.dat family_berbew behavioral1/files/0x0008000000014af6-24.dat family_berbew behavioral1/files/0x0007000000014b70-32.dat family_berbew behavioral1/files/0x000a000000014ef8-45.dat family_berbew behavioral1/files/0x0007000000015605-79.dat family_berbew behavioral1/files/0x0006000000015626-85.dat family_berbew behavioral1/files/0x0006000000015c6b-112.dat family_berbew behavioral1/files/0x0006000000015cee-160.dat family_berbew behavioral1/files/0x0006000000015cfe-174.dat family_berbew behavioral1/files/0x0006000000015d98-207.dat family_berbew behavioral1/files/0x0006000000015f01-225.dat family_berbew behavioral1/files/0x000600000001650c-254.dat family_berbew behavioral1/files/0x00060000000167d5-266.dat family_berbew behavioral1/files/0x0006000000016c04-287.dat family_berbew behavioral1/files/0x0006000000016cb6-309.dat family_berbew behavioral1/files/0x0006000000016cc6-319.dat family_berbew behavioral1/files/0x0006000000016e4a-362.dat family_berbew behavioral1/files/0x0006000000017422-407.dat family_berbew behavioral1/files/0x0006000000018ed8-451.dat family_berbew behavioral1/files/0x00050000000191e7-507.dat family_berbew behavioral1/files/0x00050000000192d8-526.dat family_berbew behavioral1/files/0x000500000001931c-547.dat family_berbew behavioral1/files/0x00050000000193e1-592.dat family_berbew behavioral1/files/0x000500000001944d-613.dat family_berbew behavioral1/files/0x00050000000195b5-634.dat family_berbew behavioral1/files/0x000500000001972f-657.dat family_berbew behavioral1/files/0x0005000000019bdf-676.dat family_berbew behavioral1/files/0x0005000000019ee2-708.dat family_berbew behavioral1/files/0x000500000001a3b5-755.dat family_berbew behavioral1/files/0x000500000001a436-826.dat family_berbew behavioral1/files/0x000500000001a43a-835.dat family_berbew behavioral1/files/0x000500000001a44b-880.dat family_berbew behavioral1/files/0x000500000001a458-909.dat family_berbew behavioral1/files/0x000500000001a460-932.dat family_berbew behavioral1/files/0x000500000001a46c-971.dat family_berbew behavioral1/files/0x000500000001a47c-1018.dat family_berbew behavioral1/files/0x000500000001c6fb-1101.dat family_berbew behavioral1/files/0x000500000001c7c8-1135.dat family_berbew behavioral1/files/0x000500000001c7e8-1162.dat family_berbew behavioral1/files/0x000500000001c841-1272.dat family_berbew behavioral1/files/0x000500000001c853-1318.dat family_berbew behavioral1/files/0x000500000001c86b-1394.dat family_berbew behavioral1/files/0x000400000001ca0b-1431.dat family_berbew behavioral1/files/0x000400000001cacf-1456.dat family_berbew behavioral1/files/0x000400000001cb88-1664.dat family_berbew behavioral1/files/0x000400000001cc16-1706.dat family_berbew behavioral1/files/0x000400000001cc22-1732.dat family_berbew behavioral1/files/0x000400000001cc2b-1748.dat family_berbew behavioral1/files/0x000400000001cc2f-1756.dat family_berbew behavioral1/files/0x000400000001cce8-1780.dat family_berbew behavioral1/files/0x000400000001cd4b-1802.dat family_berbew behavioral1/files/0x000400000001ce5a-1828.dat family_berbew behavioral1/files/0x000400000001cf54-1850.dat family_berbew behavioral1/files/0x000400000001cf6b-1876.dat family_berbew behavioral1/files/0x000400000001d1b5-1917.dat family_berbew behavioral1/files/0x000400000001d2d4-1941.dat family_berbew behavioral1/files/0x000400000001d318-1965.dat family_berbew behavioral1/files/0x000400000001d328-1987.dat family_berbew behavioral1/files/0x000400000001d341-2013.dat family_berbew behavioral1/files/0x000400000001d34c-2029.dat family_berbew behavioral1/files/0x000400000001d635-2103.dat family_berbew behavioral1/files/0x000400000001d684-2127.dat family_berbew behavioral1/files/0x000400000001d69e-2151.dat family_berbew behavioral1/files/0x000400000001d765-2175.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2208 Iidbke32.exe 3064 Ibmfdkcf.exe 2584 Imbkadcl.exe 2628 Iclcnnji.exe 2480 Ifkojiim.exe 2728 Iiikfehq.exe 2520 Imeggc32.exe 1148 Infdolgh.exe 3008 Ifmlpigj.exe 2688 Jilhldfn.exe 776 Jgnhga32.exe 2684 Joepio32.exe 2972 Jbdlejmn.exe 3028 Jgqemakf.exe 2304 Jnkmjk32.exe 268 Jedefejo.exe 2300 Jkonco32.exe 1808 Jjanolhg.exe 716 Jmpjkggj.exe 1476 Jakfkfpc.exe 952 Jcjbgaog.exe 1168 Jmbgpg32.exe 1908 Jpqclb32.exe 2236 Jclomamd.exe 2924 Jghknp32.exe 2164 Jjfgjk32.exe 2944 Jmdcfg32.exe 1372 Kpcpbb32.exe 2732 Kcolba32.exe 2860 Kfmhol32.exe 2508 Kjhdokbo.exe 2996 Kljqgc32.exe 2576 Kbcicmpj.exe 2828 Kfoedl32.exe 2816 Kebepion.exe 2848 Kmimafop.exe 2284 Kllmmc32.exe 1944 Knjiin32.exe 1252 Kfaajlfp.exe 584 Kipnfged.exe 2532 Klnjbbdh.exe 1716 Komfnnck.exe 1524 Kakbjibo.exe 1924 Kegnkh32.exe 2428 Khekgc32.exe 2100 Kjcgco32.exe 948 Koocdnai.exe 3020 Kbkodl32.exe 2888 Keikqhhe.exe 2900 Lhggmchi.exe 2644 Llccmb32.exe 980 Loapim32.exe 2664 Laplei32.exe 2464 Ldnhad32.exe 816 Lfmdnp32.exe 2244 Lfmdnp32.exe 1076 Lkhpnnej.exe 1452 Lodlom32.exe 2080 Labhkh32.exe 2452 Lpeifeca.exe 1268 Ldqegd32.exe 1344 Lhlqhb32.exe 1196 Lkkmdn32.exe 1156 Lmiipi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 2208 Iidbke32.exe 2208 Iidbke32.exe 3064 Ibmfdkcf.exe 3064 Ibmfdkcf.exe 2584 Imbkadcl.exe 2584 Imbkadcl.exe 2628 Iclcnnji.exe 2628 Iclcnnji.exe 2480 Ifkojiim.exe 2480 Ifkojiim.exe 2728 Iiikfehq.exe 2728 Iiikfehq.exe 2520 Imeggc32.exe 2520 Imeggc32.exe 1148 Infdolgh.exe 1148 Infdolgh.exe 3008 Ifmlpigj.exe 3008 Ifmlpigj.exe 2688 Jilhldfn.exe 2688 Jilhldfn.exe 776 Jgnhga32.exe 776 Jgnhga32.exe 2684 Joepio32.exe 2684 Joepio32.exe 2972 Jbdlejmn.exe 2972 Jbdlejmn.exe 3028 Jgqemakf.exe 3028 Jgqemakf.exe 2304 Jnkmjk32.exe 2304 Jnkmjk32.exe 268 Jedefejo.exe 268 Jedefejo.exe 2300 Jkonco32.exe 2300 Jkonco32.exe 1808 Jjanolhg.exe 1808 Jjanolhg.exe 716 Jmpjkggj.exe 716 Jmpjkggj.exe 1476 Jakfkfpc.exe 1476 Jakfkfpc.exe 952 Jcjbgaog.exe 952 Jcjbgaog.exe 1168 Jmbgpg32.exe 1168 Jmbgpg32.exe 1908 Jpqclb32.exe 1908 Jpqclb32.exe 2236 Jclomamd.exe 2236 Jclomamd.exe 2924 Jghknp32.exe 2924 Jghknp32.exe 2164 Jjfgjk32.exe 2164 Jjfgjk32.exe 2944 Jmdcfg32.exe 2944 Jmdcfg32.exe 1372 Kpcpbb32.exe 1372 Kpcpbb32.exe 2732 Kcolba32.exe 2732 Kcolba32.exe 2860 Kfmhol32.exe 2860 Kfmhol32.exe 2508 Kjhdokbo.exe 2508 Kjhdokbo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgknheej.exe Bhhnli32.exe File opened for modification C:\Windows\SysWOW64\Llqcfe32.exe Lmnbkinf.exe File opened for modification C:\Windows\SysWOW64\Mekdekin.exe Maphdl32.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Jngohf32.dll Apomfh32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Ofbfdmeb.exe Nccjhafn.exe File created C:\Windows\SysWOW64\Obopfpji.dll Paejki32.exe File created C:\Windows\SysWOW64\Ankdiqih.exe Ajphib32.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Mlgigdoh.exe Mhlmgf32.exe File created C:\Windows\SysWOW64\Nqqdag32.exe Nnbhek32.exe File created C:\Windows\SysWOW64\Ccdlbf32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Dhggeddb.dll Fjilieka.exe File opened for modification C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File created C:\Windows\SysWOW64\Jclomamd.exe Jpqclb32.exe File created C:\Windows\SysWOW64\Ldnhad32.exe Laplei32.exe File created C:\Windows\SysWOW64\Mhgclfje.exe Midcpj32.exe File created C:\Windows\SysWOW64\Gghcajge.dll Mlgigdoh.exe File created C:\Windows\SysWOW64\Pipopl32.exe Pjmodopf.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bommnc32.exe File opened for modification C:\Windows\SysWOW64\Glpjaf32.dll Epdkli32.exe File created C:\Windows\SysWOW64\Gelppaof.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Oomhcbjp.exe File created C:\Windows\SysWOW64\Nnbhek32.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Hpdcdhpk.dll Bhahlj32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Baildokg.exe File created C:\Windows\SysWOW64\Bhjogple.dll Lhggmchi.exe File created C:\Windows\SysWOW64\Hlpafgnp.dll Mkhmma32.exe File created C:\Windows\SysWOW64\Accikb32.dll Bcaomf32.exe File created C:\Windows\SysWOW64\Cdakgibq.exe Cpeofk32.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qhooggdn.exe File opened for modification C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Eihfjo32.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Difoda32.dll Npnhlg32.exe File created C:\Windows\SysWOW64\Eakjok32.dll Nohnhc32.exe File created C:\Windows\SysWOW64\Dgdfmnkb.dll Bbflib32.exe File created C:\Windows\SysWOW64\Bioggp32.dll Copfbfjj.exe File opened for modification C:\Windows\SysWOW64\Abpfhcje.exe Admemg32.exe File created C:\Windows\SysWOW64\Apcfahio.exe Alhjai32.exe File created C:\Windows\SysWOW64\Lilchoah.dll Bkaqmeah.exe File created C:\Windows\SysWOW64\Qdoneabg.dll Bnpmipql.exe File created C:\Windows\SysWOW64\Abbmqhgj.dll Mhgclfje.exe File created C:\Windows\SysWOW64\Icaooali.dll Menakj32.exe File opened for modification C:\Windows\SysWOW64\Bbdocc32.exe Boiccdnf.exe File opened for modification C:\Windows\SysWOW64\Bkfjhd32.exe Bgknheej.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Ldenbcge.exe Lpjbad32.exe File created C:\Windows\SysWOW64\Hlhaqogk.exe Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Fioija32.exe Fjlhneio.exe File created C:\Windows\SysWOW64\Bhfbdd32.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Cphlljge.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Dmafennb.exe Dnneja32.exe File created C:\Windows\SysWOW64\Fdapak32.exe Fpfdalii.exe File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe Gangic32.exe File opened for modification C:\Windows\SysWOW64\Ldnhad32.exe Laplei32.exe File created C:\Windows\SysWOW64\Aimcgn32.dll Ajphib32.exe File created C:\Windows\SysWOW64\Feeiob32.exe Ffbicfoc.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hicodd32.exe File created C:\Windows\SysWOW64\Bbdoqc32.dll Pjmodopf.exe File created C:\Windows\SysWOW64\Ejdmpb32.dll Hlhaqogk.exe File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Nkmbgdfl.exe -
Program crash 1 IoCs
pid pid_target Process 6040 5448 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdehi32.dll" Jnkmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khklki32.dll" Mhnjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afkbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgaqgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdcbfq32.dll" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" Idceea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minjlg32.dll" Joepio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khekgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjoqhah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnhga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojknblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iegecigk.dll" Bhfagipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmgmp32.dll" Nfmmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqpjbf32.dll" Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loapim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jakfkfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pipopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efncicpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdphdj.dll" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" Icbimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdekin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheafa32.dll" Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ondajnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamcl32.dll" Ckdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfhll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khneoedc.dll" Midcpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkjica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofecpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkonco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgocalod.dll" Lmkfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgbmh32.dll" Nkmbgdfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfjjia.dll" Ogjimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbpenqj.dll" Loooca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnccfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdfmnkb.dll" Bbflib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgodbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdpomfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebinic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacpdbej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmbagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Admemg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2208 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 28 PID 2088 wrote to memory of 2208 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 28 PID 2088 wrote to memory of 2208 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 28 PID 2088 wrote to memory of 2208 2088 debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe 28 PID 2208 wrote to memory of 3064 2208 Iidbke32.exe 29 PID 2208 wrote to memory of 3064 2208 Iidbke32.exe 29 PID 2208 wrote to memory of 3064 2208 Iidbke32.exe 29 PID 2208 wrote to memory of 3064 2208 Iidbke32.exe 29 PID 3064 wrote to memory of 2584 3064 Ibmfdkcf.exe 30 PID 3064 wrote to memory of 2584 3064 Ibmfdkcf.exe 30 PID 3064 wrote to memory of 2584 3064 Ibmfdkcf.exe 30 PID 3064 wrote to memory of 2584 3064 Ibmfdkcf.exe 30 PID 2584 wrote to memory of 2628 2584 Imbkadcl.exe 31 PID 2584 wrote to memory of 2628 2584 Imbkadcl.exe 31 PID 2584 wrote to memory of 2628 2584 Imbkadcl.exe 31 PID 2584 wrote to memory of 2628 2584 Imbkadcl.exe 31 PID 2628 wrote to memory of 2480 2628 Iclcnnji.exe 32 PID 2628 wrote to memory of 2480 2628 Iclcnnji.exe 32 PID 2628 wrote to memory of 2480 2628 Iclcnnji.exe 32 PID 2628 wrote to memory of 2480 2628 Iclcnnji.exe 32 PID 2480 wrote to memory of 2728 2480 Ifkojiim.exe 33 PID 2480 wrote to memory of 2728 2480 Ifkojiim.exe 33 PID 2480 wrote to memory of 2728 2480 Ifkojiim.exe 33 PID 2480 wrote to memory of 2728 2480 Ifkojiim.exe 33 PID 2728 wrote to memory of 2520 2728 Iiikfehq.exe 34 PID 2728 wrote to memory of 2520 2728 Iiikfehq.exe 34 PID 2728 wrote to memory of 2520 2728 Iiikfehq.exe 34 PID 2728 wrote to memory of 2520 2728 Iiikfehq.exe 34 PID 2520 wrote to memory of 1148 2520 Imeggc32.exe 35 PID 2520 wrote to memory of 1148 2520 Imeggc32.exe 35 PID 2520 wrote to memory of 1148 2520 Imeggc32.exe 35 PID 2520 wrote to memory of 1148 2520 Imeggc32.exe 35 PID 1148 wrote to memory of 3008 1148 Infdolgh.exe 36 PID 1148 wrote to memory of 3008 1148 Infdolgh.exe 36 PID 1148 wrote to memory of 3008 1148 Infdolgh.exe 36 PID 1148 wrote to memory of 3008 1148 Infdolgh.exe 36 PID 3008 wrote to memory of 2688 3008 Ifmlpigj.exe 37 PID 3008 wrote to memory of 2688 3008 Ifmlpigj.exe 37 PID 3008 wrote to memory of 2688 3008 Ifmlpigj.exe 37 PID 3008 wrote to memory of 2688 3008 Ifmlpigj.exe 37 PID 2688 wrote to memory of 776 2688 Jilhldfn.exe 38 PID 2688 wrote to memory of 776 2688 Jilhldfn.exe 38 PID 2688 wrote to memory of 776 2688 Jilhldfn.exe 38 PID 2688 wrote to memory of 776 2688 Jilhldfn.exe 38 PID 776 wrote to memory of 2684 776 Jgnhga32.exe 39 PID 776 wrote to memory of 2684 776 Jgnhga32.exe 39 PID 776 wrote to memory of 2684 776 Jgnhga32.exe 39 PID 776 wrote to memory of 2684 776 Jgnhga32.exe 39 PID 2684 wrote to memory of 2972 2684 Joepio32.exe 40 PID 2684 wrote to memory of 2972 2684 Joepio32.exe 40 PID 2684 wrote to memory of 2972 2684 Joepio32.exe 40 PID 2684 wrote to memory of 2972 2684 Joepio32.exe 40 PID 2972 wrote to memory of 3028 2972 Jbdlejmn.exe 41 PID 2972 wrote to memory of 3028 2972 Jbdlejmn.exe 41 PID 2972 wrote to memory of 3028 2972 Jbdlejmn.exe 41 PID 2972 wrote to memory of 3028 2972 Jbdlejmn.exe 41 PID 3028 wrote to memory of 2304 3028 Jgqemakf.exe 42 PID 3028 wrote to memory of 2304 3028 Jgqemakf.exe 42 PID 3028 wrote to memory of 2304 3028 Jgqemakf.exe 42 PID 3028 wrote to memory of 2304 3028 Jgqemakf.exe 42 PID 2304 wrote to memory of 268 2304 Jnkmjk32.exe 43 PID 2304 wrote to memory of 268 2304 Jnkmjk32.exe 43 PID 2304 wrote to memory of 268 2304 Jnkmjk32.exe 43 PID 2304 wrote to memory of 268 2304 Jnkmjk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\debad8120c6d7432cc23776a0b4edbf0_NEIKI.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ibmfdkcf.exeC:\Windows\system32\Ibmfdkcf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Jilhldfn.exeC:\Windows\system32\Jilhldfn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:716 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Jpqclb32.exeC:\Windows\system32\Jpqclb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe33⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe35⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe36⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe37⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe39⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe40⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe41⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe43⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe44⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe45⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe47⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe49⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe50⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe55⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe57⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe58⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe59⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Lpeifeca.exeC:\Windows\system32\Lpeifeca.exe61⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe62⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe64⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe65⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe66⤵PID:2200
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe67⤵PID:1596
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe68⤵PID:3036
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe69⤵PID:1092
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe70⤵PID:2660
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe71⤵PID:2032
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe72⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe75⤵PID:2948
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe76⤵PID:2976
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe77⤵PID:1312
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe78⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe79⤵PID:1904
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe80⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe81⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe82⤵PID:1068
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe84⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe85⤵PID:1660
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe86⤵PID:1864
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe87⤵PID:1640
-
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe88⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe89⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe90⤵PID:2056
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe92⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe93⤵PID:1468
-
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe94⤵PID:1176
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe95⤵PID:1736
-
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe96⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe97⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe98⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe99⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe100⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:452 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe102⤵PID:2460
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Mgajhbkg.exeC:\Windows\system32\Mgajhbkg.exe104⤵PID:1428
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe105⤵PID:1504
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe107⤵PID:2656
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe109⤵PID:636
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe110⤵PID:2296
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe111⤵PID:1940
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe112⤵PID:1892
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe113⤵PID:356
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe114⤵PID:2224
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe115⤵PID:3012
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe116⤵PID:3000
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe117⤵PID:1756
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2228 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe119⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe120⤵PID:940
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe121⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe122⤵PID:1612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-