gh0strat | f6087b5b38afaa2ea8da58c002ae713c100566b8c0545f051bd97e8c0d3e67e5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.6MB
MD5

3601472d942d7a893e015cbea6a2931b
SHA1

b57bf034b799265bbdc5ca6e269645fc2159c411
SHA256

f6087b5b38afaa2ea8da58c002ae713c100566b8c0545f051bd97e8c0d3e67e5
SHA512

8908796d8da86ec09b4688949ca2089eac111146359d531243294028bb6c97189355b4a440cc329346dd737e563ce48441015d0a0f85d83330bedfc19a9d2dc2
SSDEEP

49152:WCwsbCANnKXferL7Vwe/Gg0P+WhGwTC+D:hws2ANnKXOaeOgmhGwTC4

Score

10^/10

gh0strat purplefox evasion persistence rat rootkit trojan upx

Malware Config

Extracted

Family

gh0strat

159.75.0.162

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 14 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240581109.txt	family_gh0strat
C:\Windows\SysWOW64\240581109.txt	family_gh0strat
\??\c:\windows\SysWOW64\240581109.txt	family_gh0strat
behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4536-199-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240581109.txt	family_gh0strat
behavioral2/memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240581109.txt	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	tmp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	tmp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\tmp.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe:*:enabled:@shell32.dll,-1"	tmp.exe

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240581109.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_tmp.exeRemote Data.exe

pid process

2240 R.exe
3876 N.exe
3984 TXPlatfor.exe
4560 TXPlatfor.exe
4536 HD_tmp.exe
4624 Remote Data.exe
Loads dropped DLL 4 IoCs

Processes:

R.exesvchost.exesvchost.exeRemote Data.exe

pid process

2240 R.exe
4056 svchost.exe
3688 svchost.exe
4624 Remote Data.exe

pid	process
2240	R.exe
3876	N.exe
3984	TXPlatfor.exe
4560	TXPlatfor.exe
4536	HD_tmp.exe
4624	Remote Data.exe

pid	process
2240	R.exe
4056	svchost.exe
3688	svchost.exe
4624	Remote Data.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3876-150-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3984-158-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
behavioral2/memory/4536-172-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HD_tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_tmp.exe"	HD_tmp.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
File opened (read-only)	\??\T:	HD_tmp.exe
File opened (read-only)	\??\U:	HD_tmp.exe
File opened (read-only)	\??\V:	HD_tmp.exe
File opened (read-only)	\??\Y:	HD_tmp.exe
File opened (read-only)	\??\K:	HD_tmp.exe
File opened (read-only)	\??\L:	HD_tmp.exe
File opened (read-only)	\??\S:	HD_tmp.exe
File opened (read-only)	\??\X:	HD_tmp.exe
File opened (read-only)	\??\B:	HD_tmp.exe
File opened (read-only)	\??\E:	HD_tmp.exe
File opened (read-only)	\??\O:	HD_tmp.exe
File opened (read-only)	\??\J:	HD_tmp.exe
File opened (read-only)	\??\N:	HD_tmp.exe
File opened (read-only)	\??\R:	HD_tmp.exe
File opened (read-only)	\??\F:	HD_tmp.exe
File opened (read-only)	\??\H:	HD_tmp.exe
File opened (read-only)	\??\I:	HD_tmp.exe
File opened (read-only)	\??\Q:	HD_tmp.exe
File opened (read-only)	\??\W:	HD_tmp.exe
File opened (read-only)	\??\Z:	HD_tmp.exe
File opened (read-only)	\??\G:	HD_tmp.exe
File opened (read-only)	\??\M:	HD_tmp.exe
File opened (read-only)	\??\P:	HD_tmp.exe

Drops file in System32 directory 7 IoCs

Processes:

N.exesvchost.exeR.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\240581109.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3764 4056 WerFault.exe svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	tmp.exe

pid	pid_target	process	target process
3764	4056	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_tmp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4788 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

tmp.exeHD_tmp.exe

pid process

4588 tmp.exe
4588 tmp.exe
4536 HD_tmp.exe
4536 HD_tmp.exe
4536 HD_tmp.exe
4536 HD_tmp.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

4560 TXPlatfor.exe

pid	process
4788	PING.EXE

pid	process
4588	tmp.exe
4588	tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe

pid	process
4560	TXPlatfor.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

HD_tmp.exe

pid	process
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe
4536	HD_tmp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

N.exeHD_tmp.exeTXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3876	N.exe
Token: SeDebugPrivilege	4536	HD_tmp.exe
Token: SeLoadDriverPrivilege	4560	TXPlatfor.exe
Token: 33	4560	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	4560	TXPlatfor.exe
Token: 33	4560	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	4560	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

4588 tmp.exe
4588 tmp.exe

pid	process
4588	tmp.exe
4588	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeN.exeTXPlatfor.exeHD_tmp.exe

description	pid	process	target process
PID 4588 wrote to memory of 2240	4588	tmp.exe	R.exe
PID 4588 wrote to memory of 2240	4588	tmp.exe	R.exe
PID 4588 wrote to memory of 2240	4588	tmp.exe	R.exe
PID 4588 wrote to memory of 3876	4588	tmp.exe	N.exe
PID 4588 wrote to memory of 3876	4588	tmp.exe	N.exe
PID 4588 wrote to memory of 3876	4588	tmp.exe	N.exe
PID 3876 wrote to memory of 1988	3876	N.exe	cmd.exe
PID 3876 wrote to memory of 1988	3876	N.exe	cmd.exe
PID 3876 wrote to memory of 1988	3876	N.exe	cmd.exe
PID 3984 wrote to memory of 4560	3984	TXPlatfor.exe	TXPlatfor.exe
PID 3984 wrote to memory of 4560	3984	TXPlatfor.exe	TXPlatfor.exe
PID 3984 wrote to memory of 4560	3984	TXPlatfor.exe	TXPlatfor.exe
PID 4588 wrote to memory of 4536	4588	tmp.exe	HD_tmp.exe
PID 4588 wrote to memory of 4536	4588	tmp.exe	HD_tmp.exe
PID 4588 wrote to memory of 4536	4588	tmp.exe	HD_tmp.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 600	4536	HD_tmp.exe	winlogon.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 688	4536	HD_tmp.exe	lsass.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 792	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 804	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 812	4536	HD_tmp.exe	fontdrvhost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 912	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 968	4536	HD_tmp.exe	svchost.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 380	4536	HD_tmp.exe	dwm.exe
PID 4536 wrote to memory of 392	4536	HD_tmp.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:812

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3480

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:2940

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:3112

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:4152

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4180

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3860

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1132

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1340

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Modifies firewall policy service
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\R.exe
C:\Users\Admin\AppData\Local\Temp\\R.exe
3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2240

C:\Users\Admin\AppData\Local\Temp\N.exe
C:\Users\Admin\AppData\Local\Temp\\N.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
4⤵
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
5⤵
- Runs ping.exe
PID:4788

C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2464

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2420

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:4132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4056 -ip 4056
2⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2232

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 612
2⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3688

C:\Windows\SysWOW64\Remote Data.exe
"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240581109.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
2.3MB

MD5
f3fcee194f797b21f69703101eeb5baf

SHA1
dfdb48959c2be3b91db7565593f83b54f0bf7d66

SHA256
a7a1f343d710552699247c9dddc60c904e5a8db2fbfc5731f7f6c7a7f0f0cdf2

SHA512
481b607923310ce925d27c13b2608056262417d8f8bc11dbde74a085006e71562d2a62eca972bb063b4e9813da7e4fc621c2c24130241123fab5ddf5dd2c5bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
Filesize
292KB

MD5
69de15d2eb57853fcdaf6e3db1b628e8

SHA1
770a0b604db41c290478cee74f082b713fe3a9c8

SHA256
4bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971

SHA512
8b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\240581109.txt
Filesize
899KB

MD5
8e5f395b9a71094d9950a3b22187e76a

SHA1
cfe1c46f42a89c981130b72ec60b949818e6e1b4

SHA256
c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936

SHA512
35b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684

Download Submit
C:\Windows\SysWOW64\240581109.txt
Filesize
899KB

MD5
8e5f395b9a71094d9950a3b22187e76a

SHA1
cfe1c46f42a89c981130b72ec60b949818e6e1b4

SHA256
c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936

SHA512
35b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684

Download Submit
C:\Windows\SysWOW64\240581109.txt
Filesize
899KB

MD5
8e5f395b9a71094d9950a3b22187e76a

SHA1
cfe1c46f42a89c981130b72ec60b949818e6e1b4

SHA256
c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936

SHA512
35b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684

Download Submit
C:\Windows\SysWOW64\240581109.txt
Filesize
899KB

MD5
8e5f395b9a71094d9950a3b22187e76a

SHA1
cfe1c46f42a89c981130b72ec60b949818e6e1b4

SHA256
c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936

SHA512
35b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684

Download Submit
C:\Windows\SysWOW64\Remote Data.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\Remote Data.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\??\c:\windows\SysWOW64\240581109.txt
Filesize
899KB

MD5
8e5f395b9a71094d9950a3b22187e76a

SHA1
cfe1c46f42a89c981130b72ec60b949818e6e1b4

SHA256
c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936

SHA512
35b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684

Download Submit
memory/1988-191-0x000000007F1F0000-0x000000007F1FC000-memory.dmp

Filesize
48KB

Download
memory/1988-198-0x000000007F1F0000-0x000000007F1FC000-memory.dmp

Filesize
48KB

Download
memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3876-150-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3984-158-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4056-204-0x000000007F0A0000-0x000000007F0AC000-memory.dmp

Filesize
48KB

Download
memory/4056-205-0x000000007F0A0000-0x000000007F0AC000-memory.dmp

Filesize
48KB

Download
memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4536-172-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4536-199-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4588-179-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-182-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-180-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-181-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-219-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-228-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-241-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-243-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-252-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4588-253-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download