gozi | cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a

Analysis

max time kernel
50s
max time network
53s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
25-05-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.msi
Size

5.8MB
MD5

82ff84cb9924f0855a894e75b5d3edb2
SHA1

df89381239f8a8ececeb697a6a35a573203bac09
SHA256

cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
SHA512

416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b
SSDEEP

98304:ajJzMUpQ/2zKN5DmsQPKEvia5Zld9l4jH43ZnzgB1wLhQNHFRaFUDAQQHk8iQdvk:M5NzKNgsKKE6UZD9l4IZnzgLwLhQNHFd

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Botnet

1000

https://sumarno.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

14 4696 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

MSIC82D.tmpMSIC919.tmp

pid process

4744 MSIC82D.tmp
4684 MSIC919.tmp
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

3460 MsiExec.exe
3460 MsiExec.exe
3460 MsiExec.exe
3460 MsiExec.exe
3460 MsiExec.exe
4696 rundll32.exe

flow	pid	process
14	4696	rundll32.exe

pid	process
4744	MSIC82D.tmp
4684	MSIC919.tmp

pid	process
3460	MsiExec.exe
3460	MsiExec.exe
3460	MsiExec.exe
3460	MsiExec.exe
3460	MsiExec.exe
4696	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}	msiexec.exe
File created	C:\Windows\Installer\e56beb4.msi	msiexec.exe
File created	C:\Windows\Installer\e56beb1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC25C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC318.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC732.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC919.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC423.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC56C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC82D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e56beb1.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSIC919.tmp

pid	process
4524	msiexec.exe
4524	msiexec.exe
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp
4684	MSIC919.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3704	msiexec.exe
Token: SeSecurityPrivilege	4524	msiexec.exe
Token: SeCreateTokenPrivilege	3704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3704	msiexec.exe
Token: SeLockMemoryPrivilege	3704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3704	msiexec.exe
Token: SeMachineAccountPrivilege	3704	msiexec.exe
Token: SeTcbPrivilege	3704	msiexec.exe
Token: SeSecurityPrivilege	3704	msiexec.exe
Token: SeTakeOwnershipPrivilege	3704	msiexec.exe
Token: SeLoadDriverPrivilege	3704	msiexec.exe
Token: SeSystemProfilePrivilege	3704	msiexec.exe
Token: SeSystemtimePrivilege	3704	msiexec.exe
Token: SeProfSingleProcessPrivilege	3704	msiexec.exe
Token: SeIncBasePriorityPrivilege	3704	msiexec.exe
Token: SeCreatePagefilePrivilege	3704	msiexec.exe
Token: SeCreatePermanentPrivilege	3704	msiexec.exe
Token: SeBackupPrivilege	3704	msiexec.exe
Token: SeRestorePrivilege	3704	msiexec.exe
Token: SeShutdownPrivilege	3704	msiexec.exe
Token: SeDebugPrivilege	3704	msiexec.exe
Token: SeAuditPrivilege	3704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3704	msiexec.exe
Token: SeChangeNotifyPrivilege	3704	msiexec.exe
Token: SeRemoteShutdownPrivilege	3704	msiexec.exe
Token: SeUndockPrivilege	3704	msiexec.exe
Token: SeSyncAgentPrivilege	3704	msiexec.exe
Token: SeEnableDelegationPrivilege	3704	msiexec.exe
Token: SeManageVolumePrivilege	3704	msiexec.exe
Token: SeImpersonatePrivilege	3704	msiexec.exe
Token: SeCreateGlobalPrivilege	3704	msiexec.exe
Token: SeBackupPrivilege	1660	vssvc.exe
Token: SeRestorePrivilege	1660	vssvc.exe
Token: SeAuditPrivilege	1660	vssvc.exe
Token: SeBackupPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe
Token: SeTakeOwnershipPrivilege	4524	msiexec.exe
Token: SeRestorePrivilege	4524	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3704 msiexec.exe
3704 msiexec.exe

pid	process
3704	msiexec.exe
3704	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

msiexec.exerundll32.execmd.exenet.exe

description	pid	process	target process
PID 4524 wrote to memory of 4436	4524	msiexec.exe	srtasks.exe
PID 4524 wrote to memory of 4436	4524	msiexec.exe	srtasks.exe
PID 4524 wrote to memory of 3460	4524	msiexec.exe	MsiExec.exe
PID 4524 wrote to memory of 3460	4524	msiexec.exe	MsiExec.exe
PID 4524 wrote to memory of 3460	4524	msiexec.exe	MsiExec.exe
PID 4524 wrote to memory of 4744	4524	msiexec.exe	MSIC82D.tmp
PID 4524 wrote to memory of 4744	4524	msiexec.exe	MSIC82D.tmp
PID 4524 wrote to memory of 4744	4524	msiexec.exe	MSIC82D.tmp
PID 4524 wrote to memory of 4684	4524	msiexec.exe	MSIC919.tmp
PID 4524 wrote to memory of 4684	4524	msiexec.exe	MSIC919.tmp
PID 4524 wrote to memory of 4684	4524	msiexec.exe	MSIC919.tmp
PID 4696 wrote to memory of 4916	4696	rundll32.exe	cmd.exe
PID 4696 wrote to memory of 4916	4696	rundll32.exe	cmd.exe
PID 4916 wrote to memory of 4892	4916	cmd.exe	net.exe
PID 4916 wrote to memory of 4892	4916	cmd.exe	net.exe
PID 4892 wrote to memory of 4884	4892	net.exe	net1.exe
PID 4892 wrote to memory of 4884	4892	net.exe	net1.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4436

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9CC984A2C00D9038750D447DB7946EF0
2⤵
- Loads dropped DLL
PID:3460

C:\Windows\Installer\MSIC82D.tmp
"C:\Windows\Installer\MSIC82D.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\Installer\MSIC919.tmp
"C:\Windows\Installer\MSIC919.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\Admin\AppData\Roaming\MSTX340/Information_psw.pdf
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1168

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll,vips
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\System32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\C6A7.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\System32\net.exe
net group "domain computers" /domain
3⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
4⤵
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56beb3.rbs
Filesize
423KB

MD5
be50ddb430c0c7bd10b57723df00de93

SHA1
1ea7dc6675a0ad8dbbdf7e2d4c1704df809cade3

SHA256
7f7bf48f08c78818375c9f47f763cf1c4154e02c24f7cc2074d856bf2e6c69e1

SHA512
643e8f6d536a6ab60b42b60a89561ae1056c75064a736fd1fdc4c39b9a5fb8802b03454fdea70ff00aa14a4055db9f8aaca85dbd83280606f0780b080828e324

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6A7.tmp
Filesize
78B

MD5
aaec14b2de8e2fdaf8427672122af65c

SHA1
ca953efad669c93af85b968d747baa544d4465fb

SHA256
14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

SHA512
a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

Download Submit
C:\Users\Admin\AppData\Roaming\MSTX340\ini.dll
Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
C:\Windows\Installer\MSIBF4D.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC25C.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC318.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC318.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC423.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC56C.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Windows\Installer\MSIC82D.tmp
Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
C:\Windows\Installer\MSIC919.tmp
Filesize
414KB

MD5
0007940f5479831428131f029d3bd8f7

SHA1
8ded66acbd836388c1414512025bd9004c90903b

SHA256
340b6eeceb447fb9c8393ddaaa896c9d7013333e2d5587c7a580e56beb232320

SHA512
c4f75c939acf139f85abffc0264de0279ef35914121e132c0bc22b3ea0080a9573665080f5c8ae5db3b620341aacc871d094ef52bc7b6963275112572a490bdf

Download Submit
C:\Windows\Installer\e56beb1.msi
Filesize
5.8MB

MD5
82ff84cb9924f0855a894e75b5d3edb2

SHA1
df89381239f8a8ececeb697a6a35a573203bac09

SHA256
cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a

SHA512
416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
25.0MB

MD5
f3398284829d74b8b90858435cfceaa9

SHA1
241e0a3909f3777c8977ab8a5ca6aaf9f112c30d

SHA256
ca5ec3477e5741c17ebc8ee1de5650668b4a5a92a416b55c9a8cf3c95694eb1d

SHA512
c9207833fcaa9aac4715b81a0b6d4a9b1f05503dfe7fc07256b5af8d550f56d4ad99f59bc9b9f1c3656b6672e4e2af2de58acc7bc41d2d7b53bba40f250992c0

Download Submit
\??\Volume{ce598122-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3a5329a4-21fb-4881-97e3-74d4d08b0545}_OnDiskSnapshotProp
Filesize
5KB

MD5
267eef08a541ee379c43dca78859479a

SHA1
62b5e8fc6bede0313f8b8c2bc0d536422df70242

SHA256
d2e576e95f99adab454dd141d6921d6268b2fe6be76269cfad6aaa5d5d480361

SHA512
efe7ed41e398b52506da9b275a05c18a86b8881ebe312d92d4746e19111aba887756d03f1157f396d2feefe3911c41894209755ad004b256cacb98ed9bf97034

Download Submit
\Users\Admin\AppData\Roaming\MSTX340\ini.dll
Filesize
287KB

MD5
d0584edcc980ef43e697629ade83c54b

SHA1
a68deea2d4f40bef60c7f605bc2aae9698259e69

SHA256
e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc

SHA512
917f8206777512ba537c3b67d4e1a31cbf86c690986ef617d5ee34a7818ce09c23067caae3d22a9e1ff7dba0fdf17322f33b579ca0827f19ef0cbabe2f486b5e

Download Submit
\Windows\Installer\MSIBF4D.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIC25C.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIC318.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIC423.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
\Windows\Installer\MSIC56C.tmp
Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
memory/4696-178-0x0000029732560000-0x0000029732573000-memory.dmp

Filesize
76KB

Download
memory/4696-172-0x0000029732560000-0x0000029732573000-memory.dmp

Filesize
76KB

Download
memory/4696-169-0x0000029732550000-0x0000029732554000-memory.dmp

Filesize
16KB

Download