Overview

overview

10

Static

static

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

8

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

10

ฺฺฺ�...�ฺ1m

windows10_x64

1

ฺฺฺ�...�ฺ1m

windows10_x64

3

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

  • max time kernel
    30s
  • max time network
    75s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31.bin.exe

Score
10/10
agenttesladharmaformbookagilenetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.0

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • AgentTesla Payload 2 IoCs
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Formbook Payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Executes dropped EXE 16 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks QEMU agent file 2 TTPs 1 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\31.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\31.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\System32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B963.tmp\B983.tmp\B984.bat C:\Users\Admin\AppData\Local\Temp\31.bin.exe"
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
          4⤵
            PID:212
          • C:\Users\Admin\AppData\Roaming\2.exe
            C:\Users\Admin\AppData\Roaming\2.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Users\Admin\AppData\Roaming\2.exe
              C:\Users\Admin\AppData\Roaming\2.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:3756
          • C:\Users\Admin\AppData\Roaming\3.exe
            C:\Users\Admin\AppData\Roaming\3.exe
            4⤵
            • Executes dropped EXE
            • Checks QEMU agent file
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2896
            • C:\Users\Admin\AppData\Roaming\3.exe
              C:\Users\Admin\AppData\Roaming\3.exe
              5⤵
              • Loads dropped DLL
              PID:3964
          • C:\Users\Admin\AppData\Roaming\4.exe
            C:\Users\Admin\AppData\Roaming\4.exe
            4⤵
            • Executes dropped EXE
            PID:1308
          • C:\Users\Admin\AppData\Roaming\5.exe
            C:\Users\Admin\AppData\Roaming\5.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3696
          • C:\Users\Admin\AppData\Roaming\6.exe
            C:\Users\Admin\AppData\Roaming\6.exe
            4⤵
            • Executes dropped EXE
            PID:2224
          • C:\Users\Admin\AppData\Roaming\7.exe
            C:\Users\Admin\AppData\Roaming\7.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1200
          • C:\Users\Admin\AppData\Roaming\8.exe
            C:\Users\Admin\AppData\Roaming\8.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4000
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
              5⤵
                PID:3340
            • C:\Users\Admin\AppData\Roaming\9.exe
              C:\Users\Admin\AppData\Roaming\9.exe
              4⤵
              • Executes dropped EXE
              PID:3576
            • C:\Users\Admin\AppData\Roaming\10.exe
              C:\Users\Admin\AppData\Roaming\10.exe
              4⤵
              • Executes dropped EXE
              PID:1644
            • C:\Users\Admin\AppData\Roaming\11.exe
              C:\Users\Admin\AppData\Roaming\11.exe
              4⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Maps connected drives based on registry
              PID:732
            • C:\Users\Admin\AppData\Roaming\12.exe
              C:\Users\Admin\AppData\Roaming\12.exe
              4⤵
              • Executes dropped EXE
              PID:992
            • C:\Users\Admin\AppData\Roaming\13.exe
              C:\Users\Admin\AppData\Roaming\13.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3992
            • C:\Users\Admin\AppData\Roaming\14.exe
              C:\Users\Admin\AppData\Roaming\14.exe
              4⤵
              • Executes dropped EXE
              PID:3560
            • C:\Users\Admin\AppData\Roaming\15.exe
              C:\Users\Admin\AppData\Roaming\15.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3968
            • C:\Users\Admin\AppData\Roaming\16.exe
              C:\Users\Admin\AppData\Roaming\16.exe
              4⤵
              • Executes dropped EXE
              • Drops startup file
              • Adds Run key to start application
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:192
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                5⤵
                  PID:2220
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:3592
            • C:\Windows\SysWOW64\wlanext.exe
              "C:\Windows\SysWOW64\wlanext.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3984
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Roaming\2.exe"
                3⤵
                  PID:1520

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\B963.tmp\B983.tmp\B984.bat
              Download Submit

            • C:\Users\Admin\AppData\Roaming\1.jar
              Download Submit

            • C:\Users\Admin\AppData\Roaming\10.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\10.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\11.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\11.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\12.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\12.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\13.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\13.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\14.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\14.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\15.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\15.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\16.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\16.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\17.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\17.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\18.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\18.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\19.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\19.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\2.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\2.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\2.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\20.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\20.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\3.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\3.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\3.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\4.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\4.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\5.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\5.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\6.exe
              MD5

              cf04c482d91c7174616fb8e83288065a

              SHA1

              6444eb10ec9092826d712c1efad73e74c2adae14

              SHA256

              7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

              SHA512

              3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\6.exe
              MD5

              cf04c482d91c7174616fb8e83288065a

              SHA1

              6444eb10ec9092826d712c1efad73e74c2adae14

              SHA256

              7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

              SHA512

              3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

              Download Submit

            • C:\Users\Admin\AppData\Roaming\7.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\7.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\8.exe
              MD5

              dea5598aaf3e9dcc3073ba73d972ab17

              SHA1

              51da8356e81c5acff3c876dffbf52195fe87d97f

              SHA256

              8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

              SHA512

              a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\8.exe
              MD5

              dea5598aaf3e9dcc3073ba73d972ab17

              SHA1

              51da8356e81c5acff3c876dffbf52195fe87d97f

              SHA256

              8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

              SHA512

              a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

              Download Submit

            • C:\Users\Admin\AppData\Roaming\9.exe
              Download Submit

            • C:\Users\Admin\AppData\Roaming\9.exe
              Download Submit

            • memory/192-108-0x0000000000000000-mapping.dmp

              Download

            • memory/192-109-0x0000000000000000-mapping.dmp

              Download

            • memory/212-3-0x0000000000000000-mapping.dmp

              Download

            • memory/732-55-0x0000000000000000-mapping.dmp

              Download

            • memory/732-56-0x0000000000000000-mapping.dmp

              Download

            • memory/992-67-0x0000000000000000-mapping.dmp

              Download

            • memory/992-66-0x0000000000000000-mapping.dmp

              Download

            • memory/1200-28-0x0000000000000000-mapping.dmp

              Download

            • memory/1200-30-0x0000000000000000-mapping.dmp

              Download

            • memory/1308-17-0x0000000000000000-mapping.dmp

              Download

            • memory/1308-15-0x0000000000000000-mapping.dmp

              Download

            • memory/1308-91-0x0000000003680000-0x0000000003681000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1520-64-0x0000000000000000-mapping.dmp

              Download

            • memory/1644-48-0x0000000000000000-mapping.dmp

              Download

            • memory/1644-49-0x0000000000000000-mapping.dmp

              Download

            • memory/1644-105-0x0000000003140000-0x0000000003141000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1644-103-0x0000000002F83000-0x0000000002F84000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1924-5-0x0000000000000000-mapping.dmp

              Download

            • memory/1924-4-0x0000000000000000-mapping.dmp

              Download

            • memory/2128-0-0x0000000000000000-mapping.dmp

              Download

            • memory/2220-113-0x0000000000000000-mapping.dmp

              Download

            • memory/2224-41-0x00000000001E0000-0x00000000001F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2224-23-0x0000000000000000-mapping.dmp

              Download

            • memory/2224-22-0x0000000000000000-mapping.dmp

              Download

            • memory/2896-9-0x0000000000000000-mapping.dmp

              Download

            • memory/2896-8-0x0000000000000000-mapping.dmp

              Download

            • memory/3340-100-0x0000000000000000-mapping.dmp

              Download

            • memory/3560-83-0x0000000000000000-mapping.dmp

              Download

            • memory/3560-85-0x0000000000000000-mapping.dmp

              Download

            • memory/3560-166-0x0000000003280000-0x0000000003281000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3560-162-0x0000000003193000-0x0000000003194000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3576-89-0x0000000008620000-0x0000000008673000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3576-63-0x00000000058D0000-0x00000000058D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3576-60-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3576-88-0x0000000005650000-0x0000000005652000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3576-46-0x0000000072490000-0x0000000072B7E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3576-42-0x0000000000000000-mapping.dmp

              Download

            • memory/3576-43-0x0000000000000000-mapping.dmp

              Download

            • memory/3576-71-0x0000000005470000-0x0000000005471000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3576-92-0x0000000008720000-0x0000000008721000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3576-84-0x00000000053E0000-0x00000000053E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3696-20-0x0000000000000000-mapping.dmp

              Download

            • memory/3696-19-0x0000000000000000-mapping.dmp

              Download

            • memory/3756-13-0x000000000041E2D0-mapping.dmp

              Download

            • memory/3756-12-0x0000000000400000-0x000000000042D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/3964-104-0x00000000004015B0-mapping.dmp

              Download

            • memory/3968-90-0x0000000000000000-mapping.dmp

              Download

            • memory/3968-93-0x0000000000000000-mapping.dmp

              Download

            • memory/3984-52-0x0000000000000000-mapping.dmp

              Download

            • memory/3984-53-0x00000000013E0000-0x00000000013F7000-memory.dmp

              Filesize

              92KB

              Download

            • memory/3984-54-0x00000000013E0000-0x00000000013F7000-memory.dmp

              Filesize

              92KB

              Download

            • memory/3984-120-0x00000000011E0000-0x0000000001321000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/3992-74-0x0000000000000000-mapping.dmp

              Download

            • memory/3992-72-0x0000000000000000-mapping.dmp

              Download

            • memory/4000-73-0x0000000001130000-0x000000000113F000-memory.dmp

              Filesize

              60KB

              Download

            • memory/4000-47-0x0000000072490000-0x0000000072B7E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4000-36-0x0000000000000000-mapping.dmp

              Download

            • memory/4000-37-0x0000000000000000-mapping.dmp

              Download

            • memory/4000-99-0x0000000005480000-0x0000000005482000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4000-59-0x0000000000970000-0x0000000000971000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4000-97-0x00000000054F0000-0x00000000054F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4000-96-0x0000000005470000-0x0000000005472000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4000-80-0x0000000002C70000-0x0000000002C72000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4236-116-0x0000000000000000-mapping.dmp

              Download

            • memory/4236-115-0x0000000000000000-mapping.dmp

              Download

            • memory/4292-123-0x0000000000000000-mapping.dmp

              Download

            • memory/4320-149-0x0000000005100000-0x000000000513A000-memory.dmp

              Filesize

              232KB

              Download

            • memory/4320-139-0x00000000006F0000-0x00000000006F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4320-147-0x00000000050B0000-0x00000000050FD000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4320-132-0x0000000072490000-0x0000000072B7E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4320-128-0x0000000000000000-mapping.dmp

              Download

            • memory/4320-127-0x0000000000000000-mapping.dmp

              Download

            • memory/4380-133-0x0000000000000000-mapping.dmp

              Download

            • memory/4396-136-0x0000000000000000-mapping.dmp

              Download

            • memory/4396-134-0x0000000000000000-mapping.dmp

              Download

            • memory/4572-154-0x0000000000000000-mapping.dmp

              Download

            • memory/4572-155-0x0000000000000000-mapping.dmp

              Download

            • memory/4660-164-0x0000000000000000-mapping.dmp

              Download