Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 12:17
Behavioral task
behavioral1
Sample
c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe
-
Size
664KB
-
MD5
c61c957854c03092531bbfd339c06060
-
SHA1
9f97daa1ebafee4db828950453155e289ddc8e04
-
SHA256
f9f16bbdd2fc30b4cc98b6e706224aa7b9283a0f3234c3b75b27a7e797dfc03e
-
SHA512
973586d5625ef6bb4a610f9c714d9c5fc28f003c7fb79dec4d26d03bc209c4ae3a6bc7ce3e7142d32c4b398c5c1d0a26f72ed3d7723ff334eaff79d628d9949e
-
SSDEEP
12288:9W6PcpV6yYPv058KpV6yYPNUir2MhNl6zX3w9As/xO23WM6tJmDYjmR54F:9WfWceKWNUir2MhNl6zX3w9As/xO23Wn
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkibehc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdfmlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laogfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mioeeifi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlgiiaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mldeik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjdofm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfmllbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmgmpnhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncolfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ogaeieoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigldq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akadpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edofbpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elacliin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphghn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojomdoof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqkofno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djicmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecadddjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jneoojeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mioeeifi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhpaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmocbnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhapocoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqgilnji.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000014738-5.dat family_berbew behavioral1/files/0x0008000000015264-28.dat family_berbew behavioral1/files/0x0013000000014e3d-35.dat family_berbew behavioral1/files/0x00080000000155d9-49.dat family_berbew behavioral1/files/0x0006000000016cd4-64.dat family_berbew behavioral1/files/0x0006000000016d01-78.dat family_berbew behavioral1/files/0x0006000000016d24-92.dat family_berbew behavioral1/files/0x0006000000016d41-111.dat family_berbew behavioral1/files/0x0006000000016d4f-120.dat family_berbew behavioral1/files/0x0006000000016d84-142.dat family_berbew behavioral1/files/0x0006000000016e56-157.dat family_berbew behavioral1/files/0x0006000000017090-164.dat family_berbew behavioral1/files/0x0005000000018698-178.dat family_berbew behavioral1/files/0x0006000000018ae2-201.dat family_berbew behavioral1/files/0x0006000000018b15-215.dat family_berbew behavioral1/files/0x0006000000018b4a-237.dat family_berbew behavioral1/files/0x0006000000018ba2-258.dat family_berbew behavioral1/files/0x0005000000019646-475.dat family_berbew behavioral1/files/0x0005000000019f60-543.dat family_berbew behavioral1/files/0x000500000001a013-552.dat family_berbew behavioral1/files/0x000500000001a2d0-564.dat family_berbew behavioral1/files/0x000500000001a3c2-575.dat family_berbew behavioral1/files/0x000500000001a3c8-586.dat family_berbew behavioral1/files/0x000500000001a429-608.dat family_berbew behavioral1/files/0x000500000001a3d4-596.dat family_berbew behavioral1/files/0x000500000001a43b-630.dat family_berbew behavioral1/files/0x000500000001a431-618.dat family_berbew behavioral1/files/0x000500000001a443-641.dat family_berbew behavioral1/files/0x000500000001a447-653.dat family_berbew behavioral1/files/0x000500000001a44b-663.dat family_berbew behavioral1/files/0x0005000000019d59-530.dat family_berbew behavioral1/files/0x0005000000019ce6-520.dat family_berbew behavioral1/files/0x0005000000019bef-510.dat family_berbew behavioral1/files/0x0005000000019bd7-496.dat family_berbew behavioral1/files/0x000500000001996e-485.dat family_berbew behavioral1/files/0x00050000000195ba-464.dat family_berbew behavioral1/files/0x00050000000195a7-443.dat family_berbew behavioral1/memory/2416-442-0x0000000000250000-0x0000000000285000-memory.dmp family_berbew behavioral1/files/0x00050000000195a9-454.dat family_berbew behavioral1/memory/2336-439-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x00050000000195a4-432.dat family_berbew behavioral1/memory/2336-431-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/memory/1032-423-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x000500000001959e-420.dat family_berbew behavioral1/files/0x0005000000019570-410.dat family_berbew behavioral1/memory/2564-401-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x0005000000019521-398.dat family_berbew behavioral1/memory/2616-391-0x00000000003A0000-0x00000000003D5000-memory.dmp family_berbew behavioral1/files/0x00050000000194f4-388.dat family_berbew behavioral1/memory/2616-387-0x00000000003A0000-0x00000000003D5000-memory.dmp family_berbew behavioral1/files/0x00050000000194ef-377.dat family_berbew behavioral1/memory/2604-373-0x00000000002D0000-0x0000000000305000-memory.dmp family_berbew behavioral1/files/0x00050000000194ea-366.dat family_berbew behavioral1/memory/2448-358-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/memory/2448-357-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x00040000000194dc-354.dat family_berbew behavioral1/memory/2808-351-0x00000000001B0000-0x00000000001E5000-memory.dmp family_berbew behavioral1/files/0x00040000000194d6-344.dat family_berbew behavioral1/memory/2280-336-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x0005000000019485-332.dat family_berbew behavioral1/files/0x000500000001946f-323.dat family_berbew behavioral1/memory/2296-315-0x0000000000220000-0x0000000000255000-memory.dmp family_berbew behavioral1/files/0x0005000000019410-312.dat family_berbew behavioral1/files/0x000500000001939b-302.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2088 Dcccpl32.exe 2484 Degiggjm.exe 2644 Foojop32.exe 2380 Fgadda32.exe 2368 Gmecmg32.exe 2876 Hllmcc32.exe 880 Ihmpobck.exe 1060 Imnbbi32.exe 2640 Jnkakl32.exe 2396 Jjdofm32.exe 1964 Koddccaa.exe 1960 Kcamjb32.exe 1704 Ljieppcb.exe 1776 Lmjnak32.exe 2736 Mfdopp32.exe 3012 Mmadbjkk.exe 436 Mgjebg32.exe 2024 Mlhnifmq.exe 1564 Mnifja32.exe 2768 Njpgpbpf.exe 1668 Nfghdcfj.exe 1688 Nfidjbdg.exe 2296 Nbpeoc32.exe 2092 Neqnqofm.exe 2280 Oioggmmc.exe 2808 Obgkpb32.exe 2448 Oonldcih.exe 2604 Ogiaif32.exe 2712 Opaebkmc.exe 2616 Omefkplm.exe 2564 Pilfpqaa.exe 2788 Plmpblnb.exe 1032 Phcpgm32.exe 2336 Phfmllbd.exe 2416 Pldebkhj.exe 2784 Qdojgmfe.exe 1972 Qackpado.exe 1824 Ajnpecbj.exe 1480 Anlhkbhq.exe 1984 Anneqafn.exe 2452 Aihfap32.exe 2724 Aijbfo32.exe 2176 Bfncpcoc.exe 1800 Bfqpecma.exe 2140 Befmfpbi.exe 1756 Behilopf.exe 2864 Bcmfmlen.exe 884 Cpdgbm32.exe 2632 Cpfdhl32.exe 2916 Cjlheehe.exe 1520 Ciaefa32.exe 2536 Cbiiog32.exe 2428 Chfbgn32.exe 2268 Dhiomn32.exe 2748 Dkigoimd.exe 2656 Dhmhhmlm.exe 1044 Dphmloih.exe 2236 Eoepnk32.exe 1368 Eknmhk32.exe 2412 Fgdnnl32.exe 2216 Fggkcl32.exe 272 Fpoolael.exe 836 Fncpef32.exe 984 Fjjpjgjj.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 2088 Dcccpl32.exe 2088 Dcccpl32.exe 2484 Degiggjm.exe 2484 Degiggjm.exe 2644 Foojop32.exe 2644 Foojop32.exe 2380 Fgadda32.exe 2380 Fgadda32.exe 2368 Gmecmg32.exe 2368 Gmecmg32.exe 2876 Hllmcc32.exe 2876 Hllmcc32.exe 880 Ihmpobck.exe 880 Ihmpobck.exe 1060 Imnbbi32.exe 1060 Imnbbi32.exe 2640 Jnkakl32.exe 2640 Jnkakl32.exe 2396 Jjdofm32.exe 2396 Jjdofm32.exe 1964 Koddccaa.exe 1964 Koddccaa.exe 1960 Kcamjb32.exe 1960 Kcamjb32.exe 1704 Ljieppcb.exe 1704 Ljieppcb.exe 1776 Lmjnak32.exe 1776 Lmjnak32.exe 2736 Mfdopp32.exe 2736 Mfdopp32.exe 3012 Mmadbjkk.exe 3012 Mmadbjkk.exe 436 Mgjebg32.exe 436 Mgjebg32.exe 2024 Mlhnifmq.exe 2024 Mlhnifmq.exe 1564 Mnifja32.exe 1564 Mnifja32.exe 2768 Njpgpbpf.exe 2768 Njpgpbpf.exe 1668 Nfghdcfj.exe 1668 Nfghdcfj.exe 1688 Nfidjbdg.exe 1688 Nfidjbdg.exe 2296 Nbpeoc32.exe 2296 Nbpeoc32.exe 2092 Neqnqofm.exe 2092 Neqnqofm.exe 2280 Oioggmmc.exe 2280 Oioggmmc.exe 2808 Obgkpb32.exe 2808 Obgkpb32.exe 2448 Oonldcih.exe 2448 Oonldcih.exe 2604 Ogiaif32.exe 2604 Ogiaif32.exe 2712 Opaebkmc.exe 2712 Opaebkmc.exe 2616 Omefkplm.exe 2616 Omefkplm.exe 2564 Pilfpqaa.exe 2564 Pilfpqaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfmden32.dll Enenef32.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Inngpj32.dll Aebakp32.exe File created C:\Windows\SysWOW64\Chfbgn32.exe Cbiiog32.exe File created C:\Windows\SysWOW64\Elcmpi32.dll Dfhdnn32.exe File opened for modification C:\Windows\SysWOW64\Ccnddg32.exe Cbkgog32.exe File created C:\Windows\SysWOW64\Chabmm32.exe Chofhm32.exe File created C:\Windows\SysWOW64\Fmlecinf.exe Ffbmfo32.exe File opened for modification C:\Windows\SysWOW64\Haemloni.exe Genlgnhd.exe File opened for modification C:\Windows\SysWOW64\Klhioioc.exe Kmclmm32.exe File created C:\Windows\SysWOW64\Kigpbioo.dll Onamle32.exe File opened for modification C:\Windows\SysWOW64\Jkopndcb.exe Jgmjdaqb.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Apedah32.exe File created C:\Windows\SysWOW64\Egajnfoe.exe Emifeqid.exe File created C:\Windows\SysWOW64\Jeomfi32.dll Pmehdh32.exe File created C:\Windows\SysWOW64\Jlkngc32.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Jlphbbbg.exe File opened for modification C:\Windows\SysWOW64\Jlhkgm32.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Looghene.dll Jlfnangf.exe File created C:\Windows\SysWOW64\Apefjqob.exe Qdofep32.exe File created C:\Windows\SysWOW64\Lgiobadq.exe Laogfg32.exe File opened for modification C:\Windows\SysWOW64\Mpngmb32.exe Monjcp32.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hjcaha32.exe File created C:\Windows\SysWOW64\Cgogealf.exe Cdnncfoe.exe File created C:\Windows\SysWOW64\Jijacjnc.exe Jihdnk32.exe File created C:\Windows\SysWOW64\Hkbbalfd.dll Aeokba32.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Boobki32.exe File opened for modification C:\Windows\SysWOW64\Kjhfjpdd.exe Kapaaj32.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Kcajceke.exe File opened for modification C:\Windows\SysWOW64\Jkdfmoha.exe Jfhmehji.exe File opened for modification C:\Windows\SysWOW64\Hadcipbi.exe Gekfnoog.exe File opened for modification C:\Windows\SysWOW64\Bbikig32.exe Bfbjdf32.exe File created C:\Windows\SysWOW64\Coblakbp.dll Edofbpja.exe File created C:\Windows\SysWOW64\Eibkmp32.dll Pdgmlhha.exe File created C:\Windows\SysWOW64\Qkfocaki.exe Pifbjn32.exe File created C:\Windows\SysWOW64\Gmkame32.dll Bgaebe32.exe File opened for modification C:\Windows\SysWOW64\Anecfgdc.exe Qjgjpi32.exe File created C:\Windows\SysWOW64\Kmklak32.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Cpfdhl32.exe Cpdgbm32.exe File opened for modification C:\Windows\SysWOW64\Mnaiol32.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Pkhdcccf.dll Ffbmfo32.exe File created C:\Windows\SysWOW64\Kiecgo32.exe Jmocbnop.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Behilopf.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Coicfd32.exe File created C:\Windows\SysWOW64\Gmlckehe.exe Gbbbjg32.exe File opened for modification C:\Windows\SysWOW64\Lbhmok32.exe Lknebaba.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Emdhhdqb.exe Eqngcc32.exe File opened for modification C:\Windows\SysWOW64\Clfhml32.exe Ccnddg32.exe File created C:\Windows\SysWOW64\Bddlnn32.dll Koddccaa.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Mklcadfn.exe File created C:\Windows\SysWOW64\Gimkklpe.dll Pildgl32.exe File created C:\Windows\SysWOW64\Pldebkhj.exe Phfmllbd.exe File created C:\Windows\SysWOW64\Fooembgb.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Kainfp32.dll Aijbfo32.exe File opened for modification C:\Windows\SysWOW64\Mklcadfn.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Mkfojakp.exe Mghfdcdi.exe File created C:\Windows\SysWOW64\Lbbbnidk.dll Lgiobadq.exe File created C:\Windows\SysWOW64\Emfenggg.dll Ngdjaofc.exe File opened for modification C:\Windows\SysWOW64\Fikelhib.exe Fnadkjlc.exe File created C:\Windows\SysWOW64\Befmfpbi.exe Bfqpecma.exe File created C:\Windows\SysWOW64\Kfhpaf32.dll Bfqpecma.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2696 1296 WerFault.exe 606 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkbmo32.dll" Dnhbmpkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Docopbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmlecinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpcnbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neblqoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmaao32.dll" Neblqoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqhkjacc.dll" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bomlppdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njchfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbmdeh32.dll" Dfkjgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnnfkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgppmpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojagi32.dll" Glpgibbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhdjk32.dll" Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpkbn32.dll" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnajpcii.dll" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfklboi.dll" Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpdcfoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnifja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnjbhgo.dll" Gimaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hganjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfob32.dll" Lbhmok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" Eknmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahghfmb.dll" Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll" Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njeccjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkokcp32.dll" Joekimld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhdddb.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll" Cffjagko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bapfhg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2088 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2088 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2088 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 28 PID 2320 wrote to memory of 2088 2320 c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe 28 PID 2088 wrote to memory of 2484 2088 Dcccpl32.exe 29 PID 2088 wrote to memory of 2484 2088 Dcccpl32.exe 29 PID 2088 wrote to memory of 2484 2088 Dcccpl32.exe 29 PID 2088 wrote to memory of 2484 2088 Dcccpl32.exe 29 PID 2484 wrote to memory of 2644 2484 Degiggjm.exe 30 PID 2484 wrote to memory of 2644 2484 Degiggjm.exe 30 PID 2484 wrote to memory of 2644 2484 Degiggjm.exe 30 PID 2484 wrote to memory of 2644 2484 Degiggjm.exe 30 PID 2644 wrote to memory of 2380 2644 Foojop32.exe 31 PID 2644 wrote to memory of 2380 2644 Foojop32.exe 31 PID 2644 wrote to memory of 2380 2644 Foojop32.exe 31 PID 2644 wrote to memory of 2380 2644 Foojop32.exe 31 PID 2380 wrote to memory of 2368 2380 Fgadda32.exe 32 PID 2380 wrote to memory of 2368 2380 Fgadda32.exe 32 PID 2380 wrote to memory of 2368 2380 Fgadda32.exe 32 PID 2380 wrote to memory of 2368 2380 Fgadda32.exe 32 PID 2368 wrote to memory of 2876 2368 Gmecmg32.exe 33 PID 2368 wrote to memory of 2876 2368 Gmecmg32.exe 33 PID 2368 wrote to memory of 2876 2368 Gmecmg32.exe 33 PID 2368 wrote to memory of 2876 2368 Gmecmg32.exe 33 PID 2876 wrote to memory of 880 2876 Hllmcc32.exe 34 PID 2876 wrote to memory of 880 2876 Hllmcc32.exe 34 PID 2876 wrote to memory of 880 2876 Hllmcc32.exe 34 PID 2876 wrote to memory of 880 2876 Hllmcc32.exe 34 PID 880 wrote to memory of 1060 880 Ihmpobck.exe 35 PID 880 wrote to memory of 1060 880 Ihmpobck.exe 35 PID 880 wrote to memory of 1060 880 Ihmpobck.exe 35 PID 880 wrote to memory of 1060 880 Ihmpobck.exe 35 PID 1060 wrote to memory of 2640 1060 Imnbbi32.exe 36 PID 1060 wrote to memory of 2640 1060 Imnbbi32.exe 36 PID 1060 wrote to memory of 2640 1060 Imnbbi32.exe 36 PID 1060 wrote to memory of 2640 1060 Imnbbi32.exe 36 PID 2640 wrote to memory of 2396 2640 Jnkakl32.exe 37 PID 2640 wrote to memory of 2396 2640 Jnkakl32.exe 37 PID 2640 wrote to memory of 2396 2640 Jnkakl32.exe 37 PID 2640 wrote to memory of 2396 2640 Jnkakl32.exe 37 PID 2396 wrote to memory of 1964 2396 Jjdofm32.exe 38 PID 2396 wrote to memory of 1964 2396 Jjdofm32.exe 38 PID 2396 wrote to memory of 1964 2396 Jjdofm32.exe 38 PID 2396 wrote to memory of 1964 2396 Jjdofm32.exe 38 PID 1964 wrote to memory of 1960 1964 Koddccaa.exe 39 PID 1964 wrote to memory of 1960 1964 Koddccaa.exe 39 PID 1964 wrote to memory of 1960 1964 Koddccaa.exe 39 PID 1964 wrote to memory of 1960 1964 Koddccaa.exe 39 PID 1960 wrote to memory of 1704 1960 Kcamjb32.exe 40 PID 1960 wrote to memory of 1704 1960 Kcamjb32.exe 40 PID 1960 wrote to memory of 1704 1960 Kcamjb32.exe 40 PID 1960 wrote to memory of 1704 1960 Kcamjb32.exe 40 PID 1704 wrote to memory of 1776 1704 Ljieppcb.exe 41 PID 1704 wrote to memory of 1776 1704 Ljieppcb.exe 41 PID 1704 wrote to memory of 1776 1704 Ljieppcb.exe 41 PID 1704 wrote to memory of 1776 1704 Ljieppcb.exe 41 PID 1776 wrote to memory of 2736 1776 Lmjnak32.exe 42 PID 1776 wrote to memory of 2736 1776 Lmjnak32.exe 42 PID 1776 wrote to memory of 2736 1776 Lmjnak32.exe 42 PID 1776 wrote to memory of 2736 1776 Lmjnak32.exe 42 PID 2736 wrote to memory of 3012 2736 Mfdopp32.exe 43 PID 2736 wrote to memory of 3012 2736 Mfdopp32.exe 43 PID 2736 wrote to memory of 3012 2736 Mfdopp32.exe 43 PID 2736 wrote to memory of 3012 2736 Mfdopp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c61c957854c03092531bbfd339c06060_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe33⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe34⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe36⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe37⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe39⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe41⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe42⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe44⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe50⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe51⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe52⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe54⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe55⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe56⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe57⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe58⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe59⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe62⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe63⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe64⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe65⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe66⤵PID:960
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe67⤵PID:1836
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe68⤵PID:2244
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe69⤵PID:1624
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe70⤵PID:2584
-
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe71⤵PID:2468
-
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe72⤵PID:568
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe73⤵PID:2324
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe74⤵PID:940
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe75⤵PID:3052
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe76⤵PID:2180
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe77⤵PID:1716
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe78⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe79⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe80⤵PID:1696
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe81⤵PID:1048
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe83⤵PID:2148
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe84⤵PID:2912
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe85⤵PID:2308
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe86⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe87⤵PID:2592
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe88⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe90⤵PID:2492
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe93⤵PID:1496
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe94⤵PID:2860
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe95⤵PID:1936
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe96⤵PID:2020
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe97⤵PID:816
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe99⤵PID:1552
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe100⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe101⤵PID:2440
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe102⤵PID:2976
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe103⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe104⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe105⤵PID:2728
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe107⤵
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe108⤵PID:2424
-
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe110⤵PID:2228
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1096 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe113⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe114⤵PID:1760
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe115⤵PID:112
-
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe116⤵PID:1528
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe117⤵PID:1620
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe118⤵PID:2888
-
C:\Windows\SysWOW64\Pdgmlhha.exeC:\Windows\system32\Pdgmlhha.exe119⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe121⤵PID:2456
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe122⤵PID:1780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-