ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Size

75KB
MD5

afca30a4cc62a98b2ac201af1934e4b2
SHA1

d0638cfd467debd5aa76f773e63af82f6d1bf6ba
SHA256

ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6
SHA512

dc6bb41c06df4417bbb56b7d48ba29616e9be03576be9963c84a4f2d013f36ba504e7c5217bbad04f82fb0bab07fc3276508dadea28d4f360cc55b5cc1409842
SSDEEP

1536:nPtq0wAKWnDJZtZHHeLuvqquYXrL/YTf50SWcz61cgCe8uvQGYQzlV:M0fK8fZH+L7svwTfLWcz6ugCe8uvQa

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 26 IoCs

pid	Process
3792	Mnlfigcc.exe
1440	Mpkbebbf.exe
1568	Mciobn32.exe
2144	Mkpgck32.exe
2492	Mnocof32.exe
4480	Mdiklqhm.exe
3360	Mkbchk32.exe
4812	Mnapdf32.exe
4904	Mdkhapfj.exe
2708	Mkepnjng.exe
4992	Mncmjfmk.exe
1776	Mdmegp32.exe
4588	Mglack32.exe
5044	Mjjmog32.exe
1244	Mpdelajl.exe
3256	Mgnnhk32.exe
824	Njljefql.exe
740	Ndbnboqb.exe
3232	Njogjfoj.exe
1660	Nddkgonp.exe
3220	Nkncdifl.exe
2676	Nqklmpdd.exe
1344	Ncihikcg.exe
3364	Njcpee32.exe
2456	Ncldnkae.exe
4848	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3724	4848	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 3792	728	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe	83
PID 728 wrote to memory of 3792	728	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe	83
PID 728 wrote to memory of 3792	728	ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe	83
PID 3792 wrote to memory of 1440	3792	Mnlfigcc.exe	84
PID 3792 wrote to memory of 1440	3792	Mnlfigcc.exe	84
PID 3792 wrote to memory of 1440	3792	Mnlfigcc.exe	84
PID 1440 wrote to memory of 1568	1440	Mpkbebbf.exe	85
PID 1440 wrote to memory of 1568	1440	Mpkbebbf.exe	85
PID 1440 wrote to memory of 1568	1440	Mpkbebbf.exe	85
PID 1568 wrote to memory of 2144	1568	Mciobn32.exe	86
PID 1568 wrote to memory of 2144	1568	Mciobn32.exe	86
PID 1568 wrote to memory of 2144	1568	Mciobn32.exe	86
PID 2144 wrote to memory of 2492	2144	Mkpgck32.exe	87
PID 2144 wrote to memory of 2492	2144	Mkpgck32.exe	87
PID 2144 wrote to memory of 2492	2144	Mkpgck32.exe	87
PID 2492 wrote to memory of 4480	2492	Mnocof32.exe	88
PID 2492 wrote to memory of 4480	2492	Mnocof32.exe	88
PID 2492 wrote to memory of 4480	2492	Mnocof32.exe	88
PID 4480 wrote to memory of 3360	4480	Mdiklqhm.exe	89
PID 4480 wrote to memory of 3360	4480	Mdiklqhm.exe	89
PID 4480 wrote to memory of 3360	4480	Mdiklqhm.exe	89
PID 3360 wrote to memory of 4812	3360	Mkbchk32.exe	90
PID 3360 wrote to memory of 4812	3360	Mkbchk32.exe	90
PID 3360 wrote to memory of 4812	3360	Mkbchk32.exe	90
PID 4812 wrote to memory of 4904	4812	Mnapdf32.exe	91
PID 4812 wrote to memory of 4904	4812	Mnapdf32.exe	91
PID 4812 wrote to memory of 4904	4812	Mnapdf32.exe	91
PID 4904 wrote to memory of 2708	4904	Mdkhapfj.exe	92
PID 4904 wrote to memory of 2708	4904	Mdkhapfj.exe	92
PID 4904 wrote to memory of 2708	4904	Mdkhapfj.exe	92
PID 2708 wrote to memory of 4992	2708	Mkepnjng.exe	93
PID 2708 wrote to memory of 4992	2708	Mkepnjng.exe	93
PID 2708 wrote to memory of 4992	2708	Mkepnjng.exe	93
PID 4992 wrote to memory of 1776	4992	Mncmjfmk.exe	94
PID 4992 wrote to memory of 1776	4992	Mncmjfmk.exe	94
PID 4992 wrote to memory of 1776	4992	Mncmjfmk.exe	94
PID 1776 wrote to memory of 4588	1776	Mdmegp32.exe	95
PID 1776 wrote to memory of 4588	1776	Mdmegp32.exe	95
PID 1776 wrote to memory of 4588	1776	Mdmegp32.exe	95
PID 4588 wrote to memory of 5044	4588	Mglack32.exe	96
PID 4588 wrote to memory of 5044	4588	Mglack32.exe	96
PID 4588 wrote to memory of 5044	4588	Mglack32.exe	96
PID 5044 wrote to memory of 1244	5044	Mjjmog32.exe	97
PID 5044 wrote to memory of 1244	5044	Mjjmog32.exe	97
PID 5044 wrote to memory of 1244	5044	Mjjmog32.exe	97
PID 1244 wrote to memory of 3256	1244	Mpdelajl.exe	98
PID 1244 wrote to memory of 3256	1244	Mpdelajl.exe	98
PID 1244 wrote to memory of 3256	1244	Mpdelajl.exe	98
PID 3256 wrote to memory of 824	3256	Mgnnhk32.exe	99
PID 3256 wrote to memory of 824	3256	Mgnnhk32.exe	99
PID 3256 wrote to memory of 824	3256	Mgnnhk32.exe	99
PID 824 wrote to memory of 740	824	Njljefql.exe	100
PID 824 wrote to memory of 740	824	Njljefql.exe	100
PID 824 wrote to memory of 740	824	Njljefql.exe	100
PID 740 wrote to memory of 3232	740	Ndbnboqb.exe	101
PID 740 wrote to memory of 3232	740	Ndbnboqb.exe	101
PID 740 wrote to memory of 3232	740	Ndbnboqb.exe	101
PID 3232 wrote to memory of 1660	3232	Njogjfoj.exe	102
PID 3232 wrote to memory of 1660	3232	Njogjfoj.exe	102
PID 3232 wrote to memory of 1660	3232	Njogjfoj.exe	102
PID 1660 wrote to memory of 3220	1660	Nddkgonp.exe	103
PID 1660 wrote to memory of 3220	1660	Nddkgonp.exe	103
PID 1660 wrote to memory of 3220	1660	Nddkgonp.exe	103
PID 3220 wrote to memory of 2676	3220	Nkncdifl.exe	104

C:\Users\Admin\AppData\Local\Temp\ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe
"C:\Users\Admin\AppData\Local\Temp\ef5882785e74b2cba3503f1100de5abda829c9420a8da1c6688f88e1c6dc33a6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\Mpkbebbf.exe
    C:\Windows\system32\Mpkbebbf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 400
        28⤵
        Program crash
        
        PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mciobn32.exe

Filesize
75KB

MD5
8b34df2e24a77f3ad1e6465906351193

SHA1
0ee8e29590b3aee707e934cf6c042b407a549b1c

SHA256
17758ea2b152b168bea852f8b4f8f78cf240e2df7e67b0c95967d0b7068bcc43

SHA512
eaadfd80f3802f24bc15fe72c6ef5498fd0fa439c18a3e70c63fea96dcebf657210381f73688d0603c1ce100f36359689fedf133edcc05870d3d375a9acbfabf

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
75KB

MD5
15afbec07211c9b031bdbc8dd67f9398

SHA1
814fbdb0a414055c0cffa6bcacb3f47ba9fe2553

SHA256
d7b797f2570f41eabbe1e5deb6723e0eea25ba65a0b6a4dc9ed9601dd47c4d98

SHA512
3d54aea6f9e10121e0d0e6ea697c87f69e94236e3ae146d436348ada957b3e0a6f764d0c6a83f02430030f5323a4dcef3a6b1f5b7c98cc8b4820cf3597fa5d05

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
75KB

MD5
af4c0ee12434ebc7dc1445237c6c82d7

SHA1
487840c98798f34aa77a2705706b6805a45b4e9f

SHA256
ba6e7347f238e0745d860aeab53fdf7269f426a977857aa7916f971eff9ea4e9

SHA512
3e5f7c31efe4a43347bea89c1e2222e16c1d6c774be839f1d991140ad691f067f314cbd2d0a517d012438b56e4fff16286c70a37f4d6af8f8b067f1db95f6afa

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
75KB

MD5
6b1a5c8d389707eeb08e659777ab9639

SHA1
0720c35874837fcf4774c22d10a803290768121f

SHA256
555badff3de04dbdab3d9ceb0f035128d3d0823562695a49ec51a3434c06899e

SHA512
c70a503f98180a0a49f8ce76f250e5cac719b9433f75470a76b545a4287f859f57e6900db5f924328fe1a66574167183b6b94c5859ca32803b487796110ce0cf

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
75KB

MD5
cc1aeb30140b0f5ce84b86243f4d4694

SHA1
0428cb870546212bc0b81fe0dabac7ff078c4476

SHA256
5f7585374293dc74f69ba1c9cb1355b1eac7741d2c24bae04aa266f152c80c78

SHA512
f18f85121e4074dc0bae8a009f901755dcb14524d641e53e1ac9fd3647d1308b05e59ecfd70eb39091b6140d1af7836d5444334888be5b04c82189d4af2d97ad

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
75KB

MD5
626c08da8bb1362e946c02dae4447d16

SHA1
e03eabf1402df80ec8e6bf840e5b5f7212b09a9a

SHA256
6ac956e161e8f20243cb7d7171ea5c6ce186d236c5d2d4c89125823c3a7f50fe

SHA512
ac21f42537386762d8dee73cbe3761e053289bf096da0576e456ea27e6fc814dbf71987e5fc27f296c623fc10da68e7edafc78b577e6dca69deeb07dfea8a34a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
75KB

MD5
f89fafed5dc428edff38834df50ee779

SHA1
6ed8ef3e8dc1d0cd6f9e1424320f94b09b3fa936

SHA256
a9b763cf9a383c91ef329a6e43782886d5e94c6df280e5920fea1e93a6ed0c34

SHA512
9a05059b1e4e5ea724b59ea0646c9eb16fcc147bf372c914752ab4c6dc86517e3ae6ba566318258d557fbfbd5a03e0c0edbd9d5994515141a4514f25c0b39871

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
75KB

MD5
1fd5b414b257ccf0e5b18d2a5ba39f96

SHA1
8e91fd5c3166d9621ab97a71a923c07cdc67b021

SHA256
df44f8acbd2c8d13bb58549528e343cfa41d7b4baf9107d14ddb1b26e4a6fb5b

SHA512
6adec506d980463829a008f19c5187869a34963793d294da924f629e84c41de0356322aeec23000a63375d6041d3ec8b55a936720672d5eb6569232d2bc96065

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
75KB

MD5
8aa3a9c170ba0363ea734ae44434627e

SHA1
73ecc9c6b863e28bd9e007cb42d649a8a240a1a7

SHA256
3971a7b1ab594590d63c8cdd548848b9002b3e26ff679b27b305c2326b838b4c

SHA512
79581510e0740aa97ef150dc05a3a4f827667c89f1d354a84a0259d1a945d8fb9e99379500173e51ce022b4bd0c44638df131101613ade7d0b0d0d675252679b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
75KB

MD5
659c1b9401e7f944e869e96cd6e20d2a

SHA1
164a727cb58ceb93803ec0a8428536e504e37b93

SHA256
6d9ab05922074db03288084a966a3b19e0c1a48679f0040523b4ec0cf3f0108b

SHA512
40bc96c20f438717cb129c9111f5e252bc8e3894714586d57516879127ed9ff8e6adcb513f116cd16d17ed2b3b329c504fc27118b2843bc66591239a021e4afa

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
75KB

MD5
2a39a1e8a5e1b9a07aa93977da9b1c30

SHA1
de6c331cc2bbf83a6ccad57686d709601f8dc3c2

SHA256
1e053c87fae98614b5bf1da94cdd607865177c510c8d671ecd318666c4b42041

SHA512
5a8eafa41f78d49719e81b98fa41e1814bfc995a78692667aa964bb321c2ac18d983a198ba8a40ba26dc52f90cc5aaa069847365fa843509eb9e1b7508c04ca7

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
75KB

MD5
77b573e5c4ff4bb4dfe527cf92b5c4a8

SHA1
e5c20bfeb0e7e712ea2b2988cc31559a05a835e3

SHA256
20712d1d09a20e8785922a01a0c2379a8e5d02ac499bf8460577b38c2f4b3a9a

SHA512
8d0c7040ee10075be4ea8c06ec4bdec6e20ab5f844071353d8a22303e8c1e498d6ace9222b3aae6ee0103eb8d0f08dafda0d082272eec08e7500192b3fb7392d

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
75KB

MD5
cff68ad75b14ced57c7843574e968ae0

SHA1
b51214fd64858018f5c8c222353ba023483cc015

SHA256
71fb7d2def7c179f41a8c8474aeb81f03d957e7f80f6cea3454eacdf12ada87c

SHA512
c5e5a8eef3573be69c9871046f6964f056eac2699968ad76d8607b5ee526a817b9cc0d21347505b13ff29e6577465c4d1686df26195b561bceef94b941119d99

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
75KB

MD5
cf203f0350cc6eba0c323779d13ca48d

SHA1
4af1a068c85921ffba425a5fb0c498c3a03d6d53

SHA256
335ddfe15aead5844a473c5387c10d7e0a78d0ea16514312dc3f8a6eb03b565d

SHA512
d6b76df9ba5d76f2a2e7c3d287b4c14739b274e648905c2a0ee8b68d694b25702ad9122e02f73719befecdf6559a622bdd975bf0a40a4160ef48802bd4fa5fe8

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
75KB

MD5
5ed2141993651723facf4801d64454f5

SHA1
6506c35931db96f368a9428d4c28dc7063673adc

SHA256
4373e80417f3b03cf259ee06a911c47d1b5b91b5e0af3106f9cf7a740bc51f96

SHA512
4b437f0168963552d07d585135e2c27e73408a9ac32f1dd7aac8463ea36e5dd1894ee602f9214eb93811488dbf692c40c5c85dee424e12c117e8c5ec061c64fe

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
75KB

MD5
da4ef83aaed718293f052d5482aad591

SHA1
68927a7c2e7e6ff4a7c1878891443333d05d5558

SHA256
0c121b641b3605d27a64d927237173f24009bc43b3482f8cc7ca68589e646ff0

SHA512
ff41e93e031931668f881e66d8005da2d3237078ae1c7aba7f1c1e498807586f7e2a44eb1a6cb611078242c692848d06543da61e8ca31b0cdb77aa8b62d24466

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
75KB

MD5
a8fdc52de1ebd09d5fdebe61ccadbfa5

SHA1
7fd7cc473181e37a455256908c8420df35d8bee5

SHA256
eb3b5b7356c1055cd0de83734761d6107951fb09d027ae864dafd2e361c207f6

SHA512
9813d36890c381a9234228d0244598774af5a69beee175cd18d9836d223c507991747830c7ac2212bae6e60735d5a59b7541d20bfe0bb13ac7749649d5b147ba

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
75KB

MD5
7807eae052b6d507649acc96d7770f0a

SHA1
65f889d6d87747eb993a348b7bb023f58a55d243

SHA256
43c513ff2cc5724af4538d0ab572a02bc0951c848b1f6795d96d48cc19ba8940

SHA512
de523e2f54961c1599162baed1272ff916efb9abfe346f3ab6500407484fb0fee8a45524b871fdf855efd5a659eabcc82292dd6126590d6788ae0d6837b47482

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
75KB

MD5
f3505ed9bc48129f613d5077ff416eaa

SHA1
9472cdd90eae8d49c3ac50a277bc969c3b514bf5

SHA256
1eff4aa4fa120a860684f41bc70e2240fb5dcd441c46b9859905c056fadfef0c

SHA512
192936cf5f764d0c414120d907a347cf93fecfaf473b2671c9109a27a4aa4e6e8415c4bd43df4031fe1adfb4331470896d584b78a327f19ec81c8904752d7cb9

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
75KB

MD5
5949384fe359740ba76ba9dcfe83ec6c

SHA1
acf292edbc66e8a2fd87c155033d97bd7e0d82b9

SHA256
cda6b3f974ab4f43a78a6a9fd245aa8c1ea3264db4546ffbf00c57ee6e69a4ec

SHA512
35d27c9cd6d49cf4d026b38d7bbd384118a2fd1fb35b0f68fa59d7ae1722d8dbab300c65e4413d8708828ad8688e8cb3a0741a532008f543bb34e044fabd7df8

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
75KB

MD5
1956f8d1c5a0445946a256472abb44f3

SHA1
ca1b40a444db05c150cd8c32269445de8d3a298b

SHA256
21e5b73ffa2dc25f3d532e75389ae21dec189832b0573b0b1382d87c086f690f

SHA512
94a11f2d704610eb529c4517ddb1ea83a1d6a67ef84e041f7154c915841e24e5d7e600fc59b7f4a33449615f0cd9afee9fe5d8eb395047b3fab497b79f4b6af4

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
75KB

MD5
3ef915dc6d0952ffa5d6a564f902e19a

SHA1
312f7e3d77c339c596e1bb6fa47e0ce3a9344555

SHA256
5e70026b1cd531c9b4c40fb3e36dec8eccc3f09892691a0ccff13fb8f4f3e9b6

SHA512
18294f4f15bd0ffdf562a540a3ee8389baf6116d7fb49f198e707213c2a5cd5ed64a39457b37b22ef2a733bfaf91487182241864370771e8dab3e62bfd8b34d5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
75KB

MD5
ef30564565de523dd10a8c6797df32ac

SHA1
a0b96feedf63f634d8149f41f30850445adca5aa

SHA256
06cbc237fa029db6ae0a5d80f063e3a21a453baab9c8523531f2bb02b734f6c4

SHA512
cc8db6da431da2c66d8432b4c2b9ef21a6742ba42b5b206068f2697bf330e31ec83eb0f2da1a726e68e96ed7ff003c1554f3b86873cea3d9a0100da230b406ba

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
75KB

MD5
676f10ade992a515b809063d58f456b0

SHA1
d660dae872f6a250cc8074524606cbfad86c6bdc

SHA256
e158a8f59ec127512027f11bc6552693a0009482267c641c8f42d4b6b7f118a9

SHA512
e2c6812b99c961cfc2341385a4444aff34cc6ac5d746e9a9669d58bba8f8561b2f450ce15965ede1eb4d88e79a31d28fdf075fd9cdbf69dd1180d434bc6887ce

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
75KB

MD5
4067ae20fce05a5d5eae470f71c4df2d

SHA1
fa306ee9dfb9d58b0bb2da5ae1c147dc80211dfb

SHA256
fee5847cc59499691d97535548ac3fbb736b5f2e7360424ff6011954bff0a372

SHA512
1314575312b023a02f5c3e2b8c16260edb5fa154e84af00d1ecb32670a577c860c426f4adb803eef15f9c9c6b1c1e873f0355028a20648606839ff3ea068e3e6

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
75KB

MD5
807543d8d45d0e453d72fe494765bc84

SHA1
ab96ac0d58bb61f09b0acafeaba86175153739fc

SHA256
91adba2c741dcb193fee02e4ad73b25acc658ad1677da003913d82f83e41f734

SHA512
471b91697fe2c3ede8d8397d55d34482179e0fd25277c6e089034e08920abdecda7146134d1a876d5314c0a52c77565797a556a8c063cbdeb676e3c0aaaa528e

Download Submit
memory/728-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/728-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/728-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-137-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2144-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2456-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2456-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3220-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3220-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3256-221-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3256-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3360-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3360-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3792-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5044-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads