danabot | 5aa4e6282c60bd4d605ad27990defef4c71eb4141d59787a9c46e776d0102ad1

Analysis

max time kernel
143s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe
Size

4.0MB
MD5

5ea78b13ec1f3ba0a3f3ae234c9f16a0
SHA1

c8d3b85f13a986a357ab4aeb6c98399977b52a20
SHA256

5aa4e6282c60bd4d605ad27990defef4c71eb4141d59787a9c46e776d0102ad1
SHA512

e0d32c3aef14e115ee3673e6d618a2dc53abe20e5428c24cae2d7b3c6805a3eaf23c1c6592287498e707200b286de8229441c264e4fe5a9b5bf5bd7d211ddcca
SSDEEP

98304:gGLD2x+dn4Ns15gS5UFydQRzSr2fw9ffMp1W:gGLD9dnzVRQRWPf

Score

10^/10

danabot 3 banker collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1765

Botnet

104.168.156.222:443

192.236.192.238:443

134.119.186.199:443

172.93.201.39:443

Attributes

embedded_hash
82C66843DE542BC5CB88F713DE39B52B
type
main

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 4 IoCs

flow	pid	Process
30	352	RUNDLL32.EXE
33	352	RUNDLL32.EXE
34	352	RUNDLL32.EXE
59	352	RUNDLL32.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	RUNDLL32.EXE

Deletes itself 1 IoCs

pid	Process
4228	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4228	rundll32.exe
4228	rundll32.exe
352	RUNDLL32.EXE

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe
1192	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	2312	WerFault.exe	83

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe
352	RUNDLL32.EXE
352	RUNDLL32.EXE
1192	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	rundll32.exe
Token: SeDebugPrivilege	352	RUNDLL32.EXE
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
352	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4228	2312	5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe	87
PID 2312 wrote to memory of 4228	2312	5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe	87
PID 2312 wrote to memory of 4228	2312	5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe	87
PID 4228 wrote to memory of 352	4228	rundll32.exe	91
PID 4228 wrote to memory of 352	4228	rundll32.exe	91
PID 4228 wrote to memory of 352	4228	rundll32.exe	91
PID 352 wrote to memory of 2192	352	RUNDLL32.EXE	97
PID 352 wrote to memory of 2192	352	RUNDLL32.EXE	97
PID 352 wrote to memory of 2192	352	RUNDLL32.EXE	97
PID 352 wrote to memory of 1192	352	RUNDLL32.EXE	100
PID 352 wrote to memory of 1192	352	RUNDLL32.EXE	100
PID 352 wrote to memory of 1192	352	RUNDLL32.EXE	100
PID 1192 wrote to memory of 3660	1192	powershell.exe	103
PID 1192 wrote to memory of 3660	1192	powershell.exe	103
PID 1192 wrote to memory of 3660	1192	powershell.exe	103
PID 352 wrote to memory of 2008	352	RUNDLL32.EXE	104
PID 352 wrote to memory of 2008	352	RUNDLL32.EXE	104
PID 352 wrote to memory of 2008	352	RUNDLL32.EXE	104
PID 352 wrote to memory of 656	352	RUNDLL32.EXE	107
PID 352 wrote to memory of 656	352	RUNDLL32.EXE	107
PID 352 wrote to memory of 656	352	RUNDLL32.EXE	107

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ea78b13ec1f3ba0a3f3ae234c9f16a0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\5EA78B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\5EA78B~1.EXE
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\5EA78B~1.DLL,mj5c
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEA91.tmp.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\nslookup.exe
        
        "C:\Windows\system32\nslookup.exe" -type=any localhost
        5⤵
        
        PID:3660
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
      4⤵
      PID:656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 508
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2312 -ip 2312
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6ad58b45ba900fe2b784c35fe1ddd496

SHA1
7701cf4dfebc92b77e3d16a4094dac0def34f13a

SHA256
139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f

SHA512
168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
d6f8fe5805c6ec9ce5c02afff8464083

SHA1
5b216b9569227a61ecb7b1057074786faaa1483c

SHA256
9057f5c713ceab71a29fd11629507451a4eb108c88613b6f4e9c671acba89d58

SHA512
5ca54f740e2744ffce809a88be35fd8aecb12a05ff98fcf3f38000d4a53507f9894eb0997b8ce8d7d60e3c4e531477adc44c605590ba8c32241e5802682c2784

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EA78B~1.DLL

Filesize
3.8MB

MD5
6f1eba25a40cd871f8c8e2240e16b0b6

SHA1
428409662bfcfc5a81356a4c9dc7941e848141f1

SHA256
3a04a1ce0f5be99a5266a47c661fece1e34112db95edf96fa81abf72ac291848

SHA512
24da61e0c29f9e0189a14f678d8d90e0298e07e2c7c18c32f0bc32df0fad4f71aeb12ba31e16dd5ca9dad41fb6802f39d6b97402211dd48476f2168fbaa209d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fjvdfszxjucsg.tmp

Filesize
2KB

MD5
f1032e11c23572e21f42ef8fe2ba74c3

SHA1
791ef39da37ab0a19ce5b737e7234db4b98ce25a

SHA256
fe347019c65f7df1508de7c5839d7449757f7d505d0354ea8b08d5e65f2e4042

SHA512
d3ad815570b91581bf5dc6315bf71e854254a557d10ed5e2d3329a3fe3567998b51d9427e2cebdffc4da944f8a821f3c5aff81e3aed0ccfcea4c611c463550d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnxz0ryf.ewo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD830.tmp.ps1

Filesize
261B

MD5
fe90fdd655b97dddce82f8eea330461b

SHA1
05176d1e79e56796001d99bb1215669903b42407

SHA256
b314b99b307418888362139835f11f3775e088638a94a32914bda6d83d4b17fe

SHA512
272a72bcb7e741f89cdfa9e3049be92b4492679db8f9cfcc8475320d3bacc38454242ad5c47251fcf2aa6ca331a2384412173b2763406997217a74e28b895381

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD831.tmp

Filesize
1KB

MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA91.tmp.ps1

Filesize
80B

MD5
cbe92ec8d0675c1d390c76fc27caf63f

SHA1
40cca1d225c4e39e6dcfeb2e6f0b5d4faaeaf515

SHA256
0002dbfc9af17d76fafece37e08986690764251ca4c6449c9e610b2773951fa3

SHA512
ee9d57c0805a5e16f9daa7cd308c065081838a045dae2f2b2d7ec8c6b7296168051ebb9db1b581a3d18ba0c973202e4aca253dfed23bbb6b21a887f0827296ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA92.tmp

Filesize
86B

MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/352-18-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/352-17-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-87-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/352-19-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-20-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-21-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-31-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-88-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/352-89-0x0000000003340000-0x00000000039A2000-memory.dmp

Filesize
6.4MB

Download
memory/1192-80-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/1192-78-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/2192-39-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/2192-58-0x00000000063D0000-0x00000000063D8000-memory.dmp

Filesize
32KB

Download
memory/2192-41-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2192-37-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download
memory/2192-47-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/2192-52-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/2192-53-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/2192-38-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/2192-55-0x0000000006070000-0x000000000607A000-memory.dmp

Filesize
40KB

Download
memory/2192-56-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/2192-57-0x0000000006340000-0x000000000635A000-memory.dmp

Filesize
104KB

Download
memory/2192-40-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/2312-1-0x0000000000FD0000-0x00000000013AA000-memory.dmp

Filesize
3.9MB

Download
memory/2312-9-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2312-10-0x00000000013B0000-0x000000000178F000-memory.dmp

Filesize
3.9MB

Download
memory/2312-11-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2312-3-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2312-2-0x00000000013B0000-0x000000000178F000-memory.dmp

Filesize
3.9MB

Download
memory/4228-12-0x0000000002C10000-0x0000000003272000-memory.dmp

Filesize
6.4MB

Download
memory/4228-13-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/4228-14-0x0000000002C10000-0x0000000003272000-memory.dmp

Filesize
6.4MB

Download
memory/4228-16-0x0000000002C10000-0x0000000003272000-memory.dmp

Filesize
6.4MB

Download
memory/4228-8-0x0000000002400000-0x00000000027CE000-memory.dmp

Filesize
3.8MB

Download