91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Size

45KB
MD5

1c821d5faa5dd6e7027b87a13b2e565e
SHA1

5d150373c4b153a000f0aa80af74b76d8c79fd8c
SHA256

91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088
SHA512

154daaeb0fc85e0f6a202a4b08b6f7afb1d9046b46ab5b26beb4fa6c861a82df5b9e1959747b01efb5fd271d49ae4269ffbd702f92cb31994807156496ee256a
SSDEEP

768:d56R25LL8XftVAt5yKlUlBFB1LjtmB1a/RrhLN1TxKWb1x4KPwleck/1H5E:dOAKzHvtmB1CphZ1Txr/4KP8ec6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe

Executes dropped EXE 64 IoCs

pid	Process
3992	Jbkjjblm.exe
5096	Jidbflcj.exe
752	Jaljgidl.exe
2676	Jbmfoa32.exe
5008	Jkdnpo32.exe
2872	Jangmibi.exe
3204	Jdmcidam.exe
2524	Jfkoeppq.exe
3488	Jiikak32.exe
4824	Kaqcbi32.exe
4600	Kdopod32.exe
2956	Kbapjafe.exe
460	Kilhgk32.exe
1008	Kacphh32.exe
4568	Kdaldd32.exe
4596	Kgphpo32.exe
1152	Kinemkko.exe
4884	Kaemnhla.exe
2380	Kdcijcke.exe
1848	Kbfiep32.exe
3616	Kgbefoji.exe
4236	Kmlnbi32.exe
3940	Kpjjod32.exe
2276	Kcifkp32.exe
3404	Kgdbkohf.exe
1580	Kibnhjgj.exe
4492	Kajfig32.exe
5016	Kdhbec32.exe
4320	Kgfoan32.exe
2080	Kkbkamnl.exe
4212	Liekmj32.exe
4232	Lalcng32.exe
5068	Lgikfn32.exe
1936	Liggbi32.exe
4940	Ldmlpbbj.exe
3600	Lgkhlnbn.exe
3920	Lnepih32.exe
2924	Lpcmec32.exe
916	Ldohebqh.exe
2488	Lkiqbl32.exe
1304	Lnhmng32.exe
2940	Laciofpa.exe
2512	Lpfijcfl.exe
3444	Lcdegnep.exe
3508	Lklnhlfb.exe
4552	Lnjjdgee.exe
1348	Lcgblncm.exe
2628	Lknjmkdo.exe
2764	Mahbje32.exe
3292	Mpkbebbf.exe
2472	Mciobn32.exe
5112	Mkpgck32.exe
3820	Majopeii.exe
2020	Mcklgm32.exe
3996	Mkbchk32.exe
3540	Mkepnjng.exe
5116	Mncmjfmk.exe
4156	Mdmegp32.exe
3348	Mcpebmkb.exe
5012	Mjjmog32.exe
2024	Mdpalp32.exe
212	Njljefql.exe
1356	Nqfbaq32.exe
2612	Ngpjnkpf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	4908	WerFault.exe	166

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3992	4204	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe	90
PID 4204 wrote to memory of 3992	4204	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe	90
PID 4204 wrote to memory of 3992	4204	91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe	90
PID 3992 wrote to memory of 5096	3992	Jbkjjblm.exe	91
PID 3992 wrote to memory of 5096	3992	Jbkjjblm.exe	91
PID 3992 wrote to memory of 5096	3992	Jbkjjblm.exe	91
PID 5096 wrote to memory of 752	5096	Jidbflcj.exe	92
PID 5096 wrote to memory of 752	5096	Jidbflcj.exe	92
PID 5096 wrote to memory of 752	5096	Jidbflcj.exe	92
PID 752 wrote to memory of 2676	752	Jaljgidl.exe	93
PID 752 wrote to memory of 2676	752	Jaljgidl.exe	93
PID 752 wrote to memory of 2676	752	Jaljgidl.exe	93
PID 2676 wrote to memory of 5008	2676	Jbmfoa32.exe	94
PID 2676 wrote to memory of 5008	2676	Jbmfoa32.exe	94
PID 2676 wrote to memory of 5008	2676	Jbmfoa32.exe	94
PID 5008 wrote to memory of 2872	5008	Jkdnpo32.exe	95
PID 5008 wrote to memory of 2872	5008	Jkdnpo32.exe	95
PID 5008 wrote to memory of 2872	5008	Jkdnpo32.exe	95
PID 2872 wrote to memory of 3204	2872	Jangmibi.exe	96
PID 2872 wrote to memory of 3204	2872	Jangmibi.exe	96
PID 2872 wrote to memory of 3204	2872	Jangmibi.exe	96
PID 3204 wrote to memory of 2524	3204	Jdmcidam.exe	97
PID 3204 wrote to memory of 2524	3204	Jdmcidam.exe	97
PID 3204 wrote to memory of 2524	3204	Jdmcidam.exe	97
PID 2524 wrote to memory of 3488	2524	Jfkoeppq.exe	98
PID 2524 wrote to memory of 3488	2524	Jfkoeppq.exe	98
PID 2524 wrote to memory of 3488	2524	Jfkoeppq.exe	98
PID 3488 wrote to memory of 4824	3488	Jiikak32.exe	99
PID 3488 wrote to memory of 4824	3488	Jiikak32.exe	99
PID 3488 wrote to memory of 4824	3488	Jiikak32.exe	99
PID 4824 wrote to memory of 4600	4824	Kaqcbi32.exe	100
PID 4824 wrote to memory of 4600	4824	Kaqcbi32.exe	100
PID 4824 wrote to memory of 4600	4824	Kaqcbi32.exe	100
PID 4600 wrote to memory of 2956	4600	Kdopod32.exe	101
PID 4600 wrote to memory of 2956	4600	Kdopod32.exe	101
PID 4600 wrote to memory of 2956	4600	Kdopod32.exe	101
PID 2956 wrote to memory of 460	2956	Kbapjafe.exe	102
PID 2956 wrote to memory of 460	2956	Kbapjafe.exe	102
PID 2956 wrote to memory of 460	2956	Kbapjafe.exe	102
PID 460 wrote to memory of 1008	460	Kilhgk32.exe	103
PID 460 wrote to memory of 1008	460	Kilhgk32.exe	103
PID 460 wrote to memory of 1008	460	Kilhgk32.exe	103
PID 1008 wrote to memory of 4568	1008	Kacphh32.exe	104
PID 1008 wrote to memory of 4568	1008	Kacphh32.exe	104
PID 1008 wrote to memory of 4568	1008	Kacphh32.exe	104
PID 4568 wrote to memory of 4596	4568	Kdaldd32.exe	105
PID 4568 wrote to memory of 4596	4568	Kdaldd32.exe	105
PID 4568 wrote to memory of 4596	4568	Kdaldd32.exe	105
PID 4596 wrote to memory of 1152	4596	Kgphpo32.exe	106
PID 4596 wrote to memory of 1152	4596	Kgphpo32.exe	106
PID 4596 wrote to memory of 1152	4596	Kgphpo32.exe	106
PID 1152 wrote to memory of 4884	1152	Kinemkko.exe	107
PID 1152 wrote to memory of 4884	1152	Kinemkko.exe	107
PID 1152 wrote to memory of 4884	1152	Kinemkko.exe	107
PID 4884 wrote to memory of 2380	4884	Kaemnhla.exe	108
PID 4884 wrote to memory of 2380	4884	Kaemnhla.exe	108
PID 4884 wrote to memory of 2380	4884	Kaemnhla.exe	108
PID 2380 wrote to memory of 1848	2380	Kdcijcke.exe	109
PID 2380 wrote to memory of 1848	2380	Kdcijcke.exe	109
PID 2380 wrote to memory of 1848	2380	Kdcijcke.exe	109
PID 1848 wrote to memory of 3616	1848	Kbfiep32.exe	110
PID 1848 wrote to memory of 3616	1848	Kbfiep32.exe	110
PID 1848 wrote to memory of 3616	1848	Kbfiep32.exe	110
PID 3616 wrote to memory of 4236	3616	Kgbefoji.exe	111

C:\Users\Admin\AppData\Local\Temp\91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe
"C:\Users\Admin\AppData\Local\Temp\91015c9e0d1335a9e188a78456f7634c15127de7a07d57df349f5f1255e76088.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\SysWOW64\Jbkjjblm.exe
  C:\Windows\system32\Jbkjjblm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\Jidbflcj.exe
    C:\Windows\system32\Jidbflcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\Jaljgidl.exe
      C:\Windows\system32\Jaljgidl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        36⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        38⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5112
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        62⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        65⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        66⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        67⤵
        
        PID:908
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        70⤵
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        75⤵
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        77⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 400
        78⤵
        Program crash
        
        PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
45KB

MD5
15ae25048e92e14ed6d3111177674941

SHA1
5aad077ffd5c437ef73d9b481d0ef12dfb140c39

SHA256
a017648f2f90f9f5055987531d94ae1655da36c67d81be0bf638b392d477a456

SHA512
41cade4806442cb4a4f670c8e39de6b9fe6c6c928d81b3a22ec24c9dc3a91819e0d9e6a38e04485b88a922f8b35f18cf29dea8d2ef8a2e226fd5bd93e6fb51e1

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
45KB

MD5
5f51ff0b61f1e479a452cbb14e235346

SHA1
6ada6a087a1e79b8245162b8983869e826a394de

SHA256
5437fec4c1f274d2145903888fe3df166f98233e49b5808d8a06804f97feac91

SHA512
9b619d5852da99f8ce5fea8d6b1bf5d8262a89b60034cf87601dcbbc248f3e389b69b7628255a2467e065309db27c2e9e9b4a9ba7dc1d5e1e7c99d34f32a5a99

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
45KB

MD5
245c94de383636f8eb9f210fb81f2855

SHA1
9e40c7603165952d2714fe2e35e56a067fb8ed17

SHA256
3b81d3f8740a498c49099f4ddfb0d7dc8072749f906ef5dc51c6a82dea014830

SHA512
837a982f0c52e70d66b42cb6f28d4777f1a75419112ed01c88572ef5af0a655d9dc7342fcf449e6ecd2d44856921fadeef17a013ee57aee5643108f73d3888c1

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
45KB

MD5
4d7d0625959b093c47ce6b27dee4ed28

SHA1
7cc8791a3dbba3539640af327536c210e593d5c2

SHA256
68189c30d5624dad9118e507ca5df21986d9328bda381046e8f97985fa6e718b

SHA512
e562e73c8cb304d802641838c42fbf7a7156d77ee86247f6fce3812027f98a80881917a5cff39ca46bed35c5cfce067239fb1a4cfd4ad0d04cb6b1620f27b0b9

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
45KB

MD5
aa68665db2d487c3fdbdbc744d638fff

SHA1
23c9848313ab9f0b74709b45b00d1c907083b672

SHA256
22a7860e72731995c2bc97ab82a3b3f855ce631712dc73ebed859170bc71739f

SHA512
07dc46ba2c33e4aa703f21f870f5fe6c9d6159e8b592d8e1afe8fb331f6153a976dd7c097ba8ffb7f2a43faaa85aba79e8ed5ddf1e5a7d4b3e7c6b7d14a6a231

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
45KB

MD5
39c29bb7724e7e901802ecd98ebcccb5

SHA1
41b0833ab2696c3ed488b965c71f367e3a5f737d

SHA256
27c965efe825e14f07c26294db15833d6b46e2f597b164108e8bcfef443c2444

SHA512
f44bf88dc16fd332327241abc7a6245f12289d352d3814fc0ba05893b5355ab9303623d0fc14b075ec565928d13c3c7d3202791047de85c6785149b15ef083d1

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
45KB

MD5
ebbf9b0d4183bf7133b6218c2a4db29a

SHA1
55aead0d62a1fabb1f9791300c21d268ec2ac632

SHA256
554e1e75afee0ee8d336d80edf8286a40f0f3760eac71a05b733aadaf237ca6e

SHA512
ab8cc7d6e79d4285c0f11de8b257d8d6f89040f75fe0e50b217ebca66f77857eb3ff117d7148877a9069b041460aa1d16f92d253d71958dab22c449c22eacbbc

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
45KB

MD5
2fbfa7c09c916f3bb8c22315c4c7e1f0

SHA1
04a5ecce550ee235d6c4d9abf1ffdf4361059886

SHA256
0c2ace77d7e518b9c8ad212720a5d2befb97a01e7af1d1d325889abb159dcca3

SHA512
b9340376902a794d50c9fbf5b4fa3520b7186ce5b5bad184ef8aa8425786136c49fb47982d9ddc37da6ae6ecb5536ff4906fca7e8e35580b90a1ee1ff6d45cec

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
45KB

MD5
9d7975a6f23250b741b05bbc9c667f81

SHA1
9950b270508b259572d4602472c285e0387bbd1a

SHA256
7e8fa764440e91ab02dd44f2b792878caf0e7b100122721cba99e663ee9de3b7

SHA512
83607400f6f4d310514e6216cb25882c38c5fd4228f8c1a2a1affd7209eadf0e8b51d97780bc855e96fdad2c0dda5a14aec4e83645fcb338ceff93c85d064a8c

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
45KB

MD5
9c3e5d39deea17047bb1695956590a68

SHA1
95f838bf2b2a74cf5ae57b933ec62c9bed3a42ca

SHA256
8a0876a060c58362cea304638dd16805d8de8271b8caf540659a8dadfb7a148e

SHA512
48a21b7eadfa7f75210ac6968efe523c0ae636d098ee3cce5261cd8edec9cd17e881824bfb1d0e1175968965673943f51bf3227db4129f35ab688cf6d34d453f

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe

Filesize
45KB

MD5
dc3b5409ad5cfcdf1f35913791ecdea5

SHA1
c3620681441f45cdac3d0aa1bd3fbc54b47e5689

SHA256
475512b73d026e3cee76966b7e70eb8a541cb9c3ae109eef7d979f2ba85caf09

SHA512
ff7f7794e5bfa603c205377b3b1d89459e89c5d287adffb695dc60f88bb6c036f762d97fd495fcdc313943a24acb9cc2328798d55ed08f2a21b25baf12c8078b

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
45KB

MD5
642455277fd486ca07de5531977d879d

SHA1
7f7841be701b02a34052422065382ccdfa1f4f74

SHA256
951d0f6d55dfa0dc52e174ba31f17638cbf4be2935ab052df4b13a2d1faaba2d

SHA512
eeed96c4a2d3a3c689cad12402b5c2113c6e6174df69f9cc496d28c4e7fd4e8178cb1d0593b886eb970528946965536a05fb14f46444bcc9e8a8cd69a841997f

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
45KB

MD5
e3c338878cf66830054bdb163e8f2f6b

SHA1
e4a90975fe24bb48d76ccf36c6645e624ef232b3

SHA256
f0b113d8c2af7b285be6e49826f52579d8f328e7b5c4744988a05654234cfcfb

SHA512
9b075a4fdd05e69d84448cf89b9deee9aa4ca51a3701b12385a80d0535e6d2a1f2ee91c8c09bd73ef104b2b61aa9e9623006f8ec1d65619b0f1f6045e2a930ef

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
45KB

MD5
6dd5235cf6304de7d9a4181af37f1ce3

SHA1
13b5559c815ed78fafc975f40ca608e2ad0a1921

SHA256
d9c6a38c1865ff5d428ccd337623f73ca498dc1fa9f9132239a243133fb3cec7

SHA512
423075ff7dbbf79796c21d9f805177a7f56d80d6f763943da38b52ff4e5200d6beda358c90956dd4d287c37230c1896abb3a8ed9c10df97ccd05ec491ef589a4

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
45KB

MD5
3a4a7f59d675426c14a3ae718c2f1085

SHA1
cc9a7ab03ecb675e80b39f675e7f268b0db332bc

SHA256
d7474b2dc95ed3b575fe1cf2a508053da81cc255374ae51c3f0a3efdef0a75ff

SHA512
8848db8d3415c5c724a5c79393e3f6ec559df5f5f128799cdca0da2a97817a909220dd5b55125958ceb299f91a3e92498b08ca531f6850c3f6b8fe8a5a5cb516

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
45KB

MD5
28a2b0584b72b79c4628949f8a1bcbc2

SHA1
5a15e5068ffaba44271dd38e668e2927f6e22c5e

SHA256
f4eb267dc6e3cbded567eb4b4351481de28240aae05295383024b670021a2a37

SHA512
fb4c8b38a5be9367787b5e3389e987650f959ebfe1ab7845d796fe0e31e017004c1d5c344ab7add22e610455e1519b940a1144e72393c9f87b38c5f6832c032b

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
45KB

MD5
d8e1705186662fd3aa62b359a71f5491

SHA1
31fe2c4403013323667d4f6f745d7aa03d93aeb4

SHA256
7dd16d8e7af5e7af12b016417d5eafbefba29245160ca445c04081fda604d358

SHA512
75ddc28662e0e1b8dace1ee27cf13d68415e20d0175898e7d0866c8eeb803bd5208032c74a0267da501965e8d0a0c3131f4bc3ec47e3dae7c052ca01256edce9

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
45KB

MD5
2eb43dbf675720d73f6e617cb23b793d

SHA1
5395f9277a21f66ebba34c74d42d2414df09b0cf

SHA256
843a3802335ef2902173033558a37e18c4338cc38eb5deea8ce9e73e2c6ed7e9

SHA512
35ed0d3f87100ef160d847f3300a03328c6100e115300aaaaadde8e71c8a9b5fd6786467adb108035d081bcef2ffefb11f105bb64d9864caa2beb5d559d4d069

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
45KB

MD5
2554d6889b49ea9f38da30ba1e858309

SHA1
31f0ce6b9e4b26eaea83ee475b79c834b2eeb7fa

SHA256
9a4fc1baf25e7d93e0b8b349aadb0af4a48ebd4d41f1ef7c154058a4584eece4

SHA512
1b1ede4d44ef56aee5133f3f17e3ca2188818eece8ba120a5f014d309b4f997010c30dd4fb076533423258c2ea9c8b693b9ac61b1177dcf4f0e99214eb80b82e

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
45KB

MD5
3f374813a0e069bc3f8e3a65b164e35f

SHA1
f7d9952b2f32944a870ab7e9878ce4c8964dde2f

SHA256
384cc698511507170a4f4a69acfd13fb77479f1881199526621ed7682ab865ee

SHA512
b45e44336915ec86ffe26b4ff3799789270de83c0a4ae4bb3811165dc88f463cada5c8830010daa4786b2bb8c5177170c03070c2f13f9ee8f21f6f3cf9cf21a2

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
45KB

MD5
cb4ccdcead701a98faba2b34e036c99b

SHA1
c0353191cda3183efeb6194f63eb5a1ba8b1ea45

SHA256
afb7141792279cf4e42aaec84526bbacb6dc3066aed53ff108d88397387384cf

SHA512
28f44857794700774fc339e5e6a087aa4ac3a7b7cf25d3cce0b28c974de8c0ec56120eae15fa020aad665d613d2f8a899ba4700449eab3a5edaab4962e4390b0

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
45KB

MD5
39e14069a7bf1f03e5711634fc5f3d09

SHA1
48e72079af2749fe05d738181ccaa9ad09e43f99

SHA256
d33c66e1e95150eaa240522742efac3af66959815a2c1759f282d0cc79136752

SHA512
36abd50099f50d2c79835f761ee0707b3988806249aeb1f42e7bdf1039757944f136f80cbb9101f3f82bbc7d63e87097ebd8525c7c9d14757a2ae90d157d3d49

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
45KB

MD5
d3c2e80abb60251068a145effb874e2b

SHA1
265915ade687ca6fc1f3d1d0b21109cc0c33e661

SHA256
fbb7cac53b0a1d71a05977ffcb483a23062555aed496c7756eab5fad87596692

SHA512
97753cbfe82220b0dcf3ac19efa81f359db264c176b057a7af156610a8d547a8d7c03582bbe4ec70781e4bb911f6e7cb4470a0048f0d86572d12d63f3237ccb2

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
45KB

MD5
771ccd6d5938c29fb3629947ed0afd9c

SHA1
8c29c7b32dd3a6d0a95f71fc134221c13f8fd878

SHA256
a21adfbf2b913df52b254e56ad623a61f5453ae8fe0dc69d36176969eacdf0e1

SHA512
3a1a9b87c12a8869f6851c9f5d65b3da254c5b24515215a5baad7cc0dcf2194c65d8322b27b4d7734285cbc48275188e10e27dbe671b22931a82b8d9faab9753

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
45KB

MD5
b3a6be87769407cde46f28c657ae19d4

SHA1
6f0fbdc7103a2e550c9b3a2417f4fbb367f5be5d

SHA256
893705d1e6215723bfa1fbcc0a65af42db596ca6299af27a8fd794a2d6f95b6b

SHA512
733c1b61711a7bd8fbb7cd66a9a24cb6315a2375476f2207396efd050dd51fec7da9827af63ffbff77ed491996f1505797017977817973857c6c9b9d7a20e672

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
45KB

MD5
deb3272698a3955c2cb023877a48996e

SHA1
cfd75bd2137dad32eade136d271e0c21b717bdf9

SHA256
698d81e33b0775cfba8caad0774e79f2348d1d4b0ec41cef0035f9bafe77b605

SHA512
dff8813bc1c8c0e6b8a545033a1109d39b942eb43410359f189f5280a650c4144968772ab483e7ccd2d5fcca5e3f4581dcad819c75bd76a921f4c2ca1fd8775a

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
45KB

MD5
a9c15c07ab2072255abdd57e490d2be1

SHA1
47e8cd5bfc9174ed4bd73a4704c5ca47f3bf2d9d

SHA256
314aa9ef1a4d90229aa3e2f7d4def65987933c53e44a9544c617657d230f9db7

SHA512
d29c32e9fd34720b18df1fd33ef4cd6f4e5d9c718fa724444515abcd809edc147c094321d5f75ed7448cc63492ed516e17a702878cd2b6d0b7df24c230f91849

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
45KB

MD5
7f38a1ef64723f8d9984afea32c72c24

SHA1
2baa1d1b072a49229c680cf785bdd6e49b222282

SHA256
ce65a5f0a44e5fda0b5cf258f4c09f3c13f5653541430a44178dd648eb7350fc

SHA512
6a24571b77f9578373dbc5b9349481d07f7d2b73cf0e83b47a8aaf29825a8bde92605aa6ed5e3ec365a7ae1ad5ed4592f3305a850376a8a96b747a27bd845d6c

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
45KB

MD5
cf40e890f03b0a0c05fdcfd6c7f43ee4

SHA1
327cd322f08a3850a48eefc9dba2fb70579a2eb7

SHA256
b16df219d6a33ebb2a35b0facec459175a1eb82270fb4337325e13bbb0568dc1

SHA512
f4c989b866a5b176318feae413dcb51521a291eee2d3aaba7e928aa2dcbc47bb169f66e3a59c86c0c0a1d729a2fd6d841f11cc2d6dcb857b7b7b7f9b7bba90a2

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
45KB

MD5
df0dda9902f2b767f30e6832d50ad1f9

SHA1
142efd6cc8110a6b6d58708a682bfd6e6a7dcbdd

SHA256
8019d951296d2ad3923404b4a3e8f61cdec6593ac6f4ae2296f0aae60f148179

SHA512
21bcfb8153ecfe5b2acf4e1649cb6db566bf3285eee99ca3e5271fef0e510169559ee32259b6d08fdcc99148ffd014b1f1026c7b70e5fc1bb2bf6dd673d961b4

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
45KB

MD5
b7443fe4c73321432aeb1e847b0ccb69

SHA1
a5fe0f66d83ac52f2b04ea9b3ae377002cb02c18

SHA256
3777e1e151cdd7eb62351b48ff9758e9da5b1a47c25c4915ac6c3e3bbc1765de

SHA512
9bbae7818ae5fc78b83edf60aba7e08e9763331d74526afe649d48536837c666f52c719784478d820478064ae93973f436af84ebcbdf56babc2d6f1953a63baa

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
45KB

MD5
1f1b847e3942e83428a94047c6679ac1

SHA1
83830745243459499f6474f7bc33b8db1faa67ce

SHA256
2c3bf63a57e98e68f19b6d547d9736be2757ce64611bff90e51d1d83fa9e6f91

SHA512
92c1cb7ae3e95dd61c992a7a0532b56fc2ded07b3e460435cbe1018542439deb7bc60362f5906225cf65ae09290c89d122f754cfaa3b3f63ded5c833a96b5fbc

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
45KB

MD5
c3d5de52ae77ce03ba00c9738e9088b4

SHA1
2d7faed93dc1a2f87334773f8da35ea086abb364

SHA256
4cf274703c366ede940d9b73609de705ba62402bc69ad9864149de482d44ab4a

SHA512
918a5cb8ee36b212a94a1e01950ecc55adf252968e0a6a662ddb3b4a6db463844b400b47991abe301cc67db6db9ba3c13c674b43cd39a09cb1bd600cf1d69a1e

Download Submit
memory/212-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/460-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/460-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-583-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2472-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3404-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads