3bdb9cf5ec8145f0af04e056bc82dac0431b7081dd8a63b7441f26bf743c5352

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 00:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Size

29KB
MD5

aa4f7419e5b16dfac489c31fd3a300e0
SHA1

e4643508c27cf4fa5e6fffda160a3a0b9870ebd2
SHA256

3bdb9cf5ec8145f0af04e056bc82dac0431b7081dd8a63b7441f26bf743c5352
SHA512

4cb41fa978b219ec5f51e34fdd19e8d6b75e42f03089fc40f1b15da27e91cee1a0cf1e0c85d3104cc01b00b7de408361695ebe86c0ed9bd087809177ca39d166
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/W:AEwVs+0jNDY1qi/qe

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3008-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00350000000148ac-7.dat	upx
behavioral1/memory/3056-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-41-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-55.dat	upx
behavioral1/memory/3008-63-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-79-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3008-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3056-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3056-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
File opened for modification	C:\Windows\java.exe	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
File created	C:\Windows\java.exe	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3056	3008	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe	28
PID 3008 wrote to memory of 3056	3008	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe	28
PID 3008 wrote to memory of 3056	3008	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe	28
PID 3008 wrote to memory of 3056	3008	aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\aa4f7419e5b16dfac489c31fd3a300e0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f967c88cd908bf630f130b9b83e77c2

SHA1
876c4f1643e91253451fc24342701b14a33720c0

SHA256
d2f30d339709f1d5ce9e2aa2b9d39cfa3693e1484825a600b0782d997ecf5779

SHA512
81c7f491a8f2e3992c2602f147ada4f989a3ee8d7c75d209807809b463768ab1081b6d844201e3c7745c3d78d4e115e5f3d414c7afd2b915e077775995ede4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d49383fffb8660eb7d3c644109aa3fe

SHA1
887a982ee5d548ac80bb02f2dd7ee5d835e19c89

SHA256
b9d5fcdf9c86ea7dbdf8e351ba2538a1fd2e3b21be98e43bdc6aaef2ac41638e

SHA512
cf6decb6b2ec5b78e1eb52b4f6b8ad91851f116a45173590ebb9488cff715559433bee1348eb464a68edd1dd0171af3aa3e93c56c860292faa3ffc748a7c3af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20d16fdf11db91db5319456de56dd60f

SHA1
7433d219c610cf9128a31a3af22c8c8fd8de1267

SHA256
9ca62b2ae09102471247f44721c4c38bffdefe500d9a0c7290cc047e82bea4ff

SHA512
c2d31a1ce6855d4b2c9a2ab687d45bf8ef4c9d16bf229181bfbd02b6ac9e90329d648a9ade198b9656681da5f27400762e7a4ed5dc20de7e79c0006c7a9f095c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5a91b554ae821ba80a3938a88292b48

SHA1
a115f87abd5e72b23bd024075c0017bd607a0599

SHA256
460e7d71a689be41683e7d24fb3e9429dbd01de2ed4a501e56f91d1c43dd2b26

SHA512
6e62117f4726d64e1bd1188e3cca266bbae2a6e012a6c606c57f2a0ddaa5f9fac5900f9ca76996acf2ccd3f4b552dc9ac65b91b23cb8607071c1b0c4e110d4c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42149f0133bcaf1333a82371dbc41db9

SHA1
556f06b59f2553aa48769874bc348967e4c74c44

SHA256
1b5ed4286480f39e7d5bf08b3f0db7fd514df0eafead7ae9ae239381f75a82e2

SHA512
187f17532f120507b400e3e77d2c724465f349c67e098a087767ebfe4ed4f33c278a3fd0185eade2c843508e9517b619291e24eb76f64643c588d9f2c3be4d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6847e8dbbcd2e74cf17f5263e9677426

SHA1
5aabe8480e7cda30de3d202a1a36fa742d5fe8b6

SHA256
65842353807ebf96d1aee394c3de3f262ccf793a316fe00ab413d7603f452d31

SHA512
3545df29313935cfd565be94dd0766aaa34b3553979f8b0762a70f95e8cf336d941b44206f095745060e5bcb53943273072230c74a59875e45269280ca215af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa96085a5b666528e03671d8b9931c7e

SHA1
17860eb0fd456994c7d39175deb2fe44e0bd759e

SHA256
cd9a46e1f4abf8617ea8c99f1a13bb669e6dfa5d42bc852c290438810da7c69b

SHA512
34687732498e33be799dd499709634aca7cb9a01dd10745bc21e6225b9ec8da509f10d8d1a4f4494233263b74204e08120556f0019d37a6b090fd8262b7f081c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4dad64775c10fd6659d00d21092efb7

SHA1
70648a13cd63e480d33aa7b810f566546aa42779

SHA256
f6956fc1b2eeee1e8002ec22e5119f1dac464f35170945ce37d3c9258e1406cb

SHA512
8ebbfa663c05caebc626b90ec50e214cce7f0b9a382b259733a1c34a6cd033002baf58c3ba0b8bdca10585f715c476790f2022efdf59b9838328ddb91c718d48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2f79b0bceffbf8e8a88ed0b6e668dea

SHA1
a2822c9151bc42e6ca4c1972192ba5c85e8f0e54

SHA256
03658731dcb272e1fd6b7678469fabd1dd73b59546b1f9e14fced1dd96338cd1

SHA512
678fb2e888255e47ec36b4c839a4872524cfa289aad3f31939e50d14ebc4dd90a2dff7c920787e417378c81a386ff7003b3ce83eeb24ee83efc8e08d46e634c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac5c56aa6bb3eae70377c7242fa76355

SHA1
2c23e345c5fc83bd78f65c08035c98eec521de72

SHA256
3f47e4c3e82fe7dfefd146332b186b719baf6d9eaf98bf1627e402df09ebd37a

SHA512
9b58f89e8f3a2bf725e162ef92a9c28c9998f2ec2b8b071e82e6c19b55ec670a86ecdac60614d8edc6c7c7257f10b0e23661375d9db032f96c450ee5d08ce4d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db350d87c7614ab83317bea3d8fee0b5

SHA1
3800419dbc48659e5d4cf6de358833e6bd4ba3d8

SHA256
aa866b14cb6e49bb103b9b6da0dfb0a6d34558e8d2933ccd460c553a95861147

SHA512
a62b582fffbcbc279b824a4b23f58ba45d95c6386c415f4008d7964cc6900d66520eacbdf77a2f6dc55952105d6ebbe63e00f9f2b10db93c256691982cefc3bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ee0ce7d6dc80bb784bfc2ee7fe7aacf

SHA1
66db28b6aa50d7437c38c60db7a786277dc21db1

SHA256
4023bb025c6d603087d60f134ea8075e8df7e173c5de7c75ad0811ed67fd29c0

SHA512
e8a63b45e128cc397ae72ed027c93d1025f2586a8b10bb28b82793ac7a82585d245aa023d7e6ec98eb600d853aa7e5f714745e7fdeed30fa041a8278fa08a43c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81cce6834ef2a98c6be170c0cee4b1a6

SHA1
e659990ababd817482374b9f0de0ffa718546dd6

SHA256
a136f7cf96ca4414d9cd5a44fa0b8a9b96fa464900ef63aff9165f36755a3738

SHA512
051e45bfdb83188e3b1b5e82fa326aa1a96ae72f0df7622cbece30b9f44979e786e091cb34b9288fde2a2711721311adcc106ec35af303a2f15196f50346df78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
389413c997a38eb427661da050e579de

SHA1
53e9c9272da83bec82c0cc85aa22a488fb90617a

SHA256
164d79a3b97607aee883b5c7d4a750dc1f3bf370a209e445766f60ab77f680c9

SHA512
bd07e4c08b215599ee281651f4306f3b30d7f1b5396d1de614df546ce69e3713da0c0d8f9ffb34d7c9b931465509c2b1e8189f4182906f5a22673fd947230bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FB1.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FE3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\atbdeE.log

Filesize
256B

MD5
d968628aae711475babe7a81e330500a

SHA1
6c6c82ad4a07aeebbcca02d3610fde2a4ee44266

SHA256
a9bc7249a84e24daf390f66cf26a7ec6ef779c3085af81cc773a3e55a50de0da

SHA512
1ae0eaf9d1a61217826087f629322a8af2b197da19dd51a26ee8851332582741bdec3f9952bd13d70ba747067edbc9caa93f61087a674b1cc28fad19056998b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp515D.tmp

Filesize
29KB

MD5
ce37e70936b54afce09bcbb3d102136f

SHA1
d74a37dae64ee9f467daecd64073295acebec3ec

SHA256
d1eef300dc0947e2444773247ec546f5ebdd95c264ae43776316000276c08e1b

SHA512
24a36f02eb223793682a6e196859fb0b6c5d9ca8558e9222158a07d0be54985c78eecb86ea3fb9b698da1b9dcfe3ceed826b55fe180c4149ae76186119cb0c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
17ec81543e409cc3ea995be3802610d2

SHA1
9733795d2ab23cfaf4645c90ed17a4d8d3c3383e

SHA256
a304e224958de01adebb67aeddebba005749379edb8d88dd7b74cc6c7645dc2a

SHA512
bf18d193a631d08182e2cd5eef0c35c8c1cfd74315db0bb46b01294e9773891fb923860234601b1926ef44cf04dcb9a59c8a7bf15871d883c6bd63aac123b1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
30c3aa5869e3be0af4e8217b0399abd2

SHA1
72556702911600997d5f52204dee88de524d038f

SHA256
66c4f1194dc73cf148c18f42f0af81775b9607b182e0d90fa38dc1005a0d2b61

SHA512
ed60622b7f071745db08484f598bf2078dae394a039d051b659acfc9cc26fc72c262330ec2cc118e1fd4c7ddcc59b50889a958772fbbf7c71e479440e5919e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
05766d78e2e9b43a84303edda80107f4

SHA1
99211283798ff3b54093c1a694d6283afaaff236

SHA256
adde6a39dc36d9c5d1afdd4da6912eaa8f31387163523b9d383df07f40414d07

SHA512
c51ad92593992dbc627624b11dd3f8b8b380e8709c1d29eaaa82fc6f76368d08fe8046abd855d7236d50551b2e5c04d9b035bdf1a636f66c00fb99f2bb26a3c1

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/3008-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-79-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-41-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3008-63-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3056-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3056-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads