Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 09:05
Behavioral task
behavioral1
Sample
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe
Resource
win10v2004-20231215-en
General
-
Target
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe
-
Size
32KB
-
MD5
a24f02aa70607beea6af7963d2a51a4d
-
SHA1
fdbf0458799b50f52b231151d84c5d68f6e6da95
-
SHA256
9a77f554fbc23a4d71cbb980b5dcdef80291fa70849430a929a1e1bb9cebc2dc
-
SHA512
2d8d64931184e5d202e097157fc783ba6245b78374a1baefed1abc31a0458acc486f389447bd7cdc7ed2f38a3f91ecbced50923575233e470837790590c52222
-
SSDEEP
768:OAUqYpNSIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:HLo8LKtd1PBkQD4UtFceWnz
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
BCD8.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\u9qcc977m.exe BCD8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\u9qcc977m.exe\DisableExceptionChainValidation BCD8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "mgusdi.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C574.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C574.exe -
Deletes itself 1 IoCs
Processes:
pid process 3560 -
Executes dropped EXE 3 IoCs
Processes:
BCD8.exeC574.exeWindowsUpdater.exepid process 1808 BCD8.exe 4204 C574.exe 5004 WindowsUpdater.exe -
Loads dropped DLL 2 IoCs
Processes:
WindowsUpdater.exepid process 5004 WindowsUpdater.exe 5004 WindowsUpdater.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\u9qcc977m.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\u9qcc977m.exe\"" explorer.exe -
Processes:
BCD8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BCD8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
BCD8.exeexplorer.exepid process 1808 BCD8.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 232 3648 WerFault.exe explorer.exe -
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C574.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\C574.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BCD8.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BCD8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BCD8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exepid process 2656 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe 2656 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 3560 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exeBCD8.exepid process 2656 461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe 1808 BCD8.exe 1808 BCD8.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
BCD8.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1808 BCD8.exe Token: SeRestorePrivilege 1808 BCD8.exe Token: SeBackupPrivilege 1808 BCD8.exe Token: SeLoadDriverPrivilege 1808 BCD8.exe Token: SeCreatePagefilePrivilege 1808 BCD8.exe Token: SeShutdownPrivilege 1808 BCD8.exe Token: SeTakeOwnershipPrivilege 1808 BCD8.exe Token: SeChangeNotifyPrivilege 1808 BCD8.exe Token: SeCreateTokenPrivilege 1808 BCD8.exe Token: SeMachineAccountPrivilege 1808 BCD8.exe Token: SeSecurityPrivilege 1808 BCD8.exe Token: SeAssignPrimaryTokenPrivilege 1808 BCD8.exe Token: SeCreateGlobalPrivilege 1808 BCD8.exe Token: 33 1808 BCD8.exe Token: SeDebugPrivilege 3648 explorer.exe Token: SeRestorePrivilege 3648 explorer.exe Token: SeBackupPrivilege 3648 explorer.exe Token: SeLoadDriverPrivilege 3648 explorer.exe Token: SeCreatePagefilePrivilege 3648 explorer.exe Token: SeShutdownPrivilege 3648 explorer.exe Token: SeTakeOwnershipPrivilege 3648 explorer.exe Token: SeChangeNotifyPrivilege 3648 explorer.exe Token: SeCreateTokenPrivilege 3648 explorer.exe Token: SeMachineAccountPrivilege 3648 explorer.exe Token: SeSecurityPrivilege 3648 explorer.exe Token: SeAssignPrimaryTokenPrivilege 3648 explorer.exe Token: SeCreateGlobalPrivilege 3648 explorer.exe Token: 33 3648 explorer.exe Token: SeShutdownPrivilege 3560 Token: SeCreatePagefilePrivilege 3560 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3560 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
BCD8.exeC574.exedescription pid process target process PID 3560 wrote to memory of 1808 3560 BCD8.exe PID 3560 wrote to memory of 1808 3560 BCD8.exe PID 3560 wrote to memory of 1808 3560 BCD8.exe PID 1808 wrote to memory of 3648 1808 BCD8.exe explorer.exe PID 1808 wrote to memory of 3648 1808 BCD8.exe explorer.exe PID 1808 wrote to memory of 3648 1808 BCD8.exe explorer.exe PID 3560 wrote to memory of 4204 3560 C574.exe PID 3560 wrote to memory of 4204 3560 C574.exe PID 3560 wrote to memory of 4204 3560 C574.exe PID 4204 wrote to memory of 5004 4204 C574.exe WindowsUpdater.exe PID 4204 wrote to memory of 5004 4204 C574.exe WindowsUpdater.exe PID 4204 wrote to memory of 5004 4204 C574.exe WindowsUpdater.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe"C:\Users\Admin\AppData\Local\Temp\461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BCD8.exeC:\Users\Admin\AppData\Local\Temp\BCD8.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 11403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\C574.exeC:\Users\Admin\AppData\Local\Temp\C574.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 36481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BCD8.exeFilesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
C:\Users\Admin\AppData\Local\Temp\C574.exeFilesize
574KB
MD572f39a3f785f5d837528fd4c0ab8ba54
SHA137eb3d6dad893ba9d74dcbed1c1f1c5d6fe7d282
SHA256d5af0e73a9efb3010b5826a46b8ad0c19271a06e767cd3c98de698905dd78bf3
SHA512bca18bba4edce285d752f463d71fd8cf5043642cfc1f4edc63332ac90c11f1e52b122b8b9f921d305a1dd40fecf28650328efcfe852b3cae5e9c4935fafc4922
-
C:\Users\Admin\AppData\Local\Temp\C574.exeFilesize
819KB
MD54f5387d3117efbfa7212d565c1150954
SHA167488c93e7bfac5336ec6e8946c7417e6beac32d
SHA256da06818da731bd6744d5699f93d5ff49dd131d644fb8778355e94b4b8ecbd79f
SHA5122a795ab7da79dde77d103f8641bbaf2152f881607bc4cf796671774f1170022e3fd0e5f8c8131373677cf4150cd9de3a9218f46f4a59fb1717247af167f6f1cf
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
264KB
MD56deb1684810100f5bfb91afddc0c44b5
SHA1a026111c52f1ab4d3c895e83a023beb4bcd9d83d
SHA2568774da5010e0447f03bb2d7d6000a9507d720b839fac854f560ee6237fefb96b
SHA51272daa80130b52553e052be4900c2801ca700d5b6234d515b449340419e619f5df71e60ef5b8b769d3c57496c3d9f7a2b6f49f9cb9e4018349928640b5625132e
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
269KB
MD5044c2aee6711e57b66203f4bc2c82219
SHA165e5c0c52c8f20e512f89c7f57001c0b0223b479
SHA256c5b7e10605807840f43eac6d1376235a2c88af9077d677b830417c2b597d2778
SHA512605761c582202a7ba0e178426c98de800dbe6c1e80fb984177a133e583e94c29fdc604ff9835ed2af09f6339a7b026c9d6fdaccd75de0c9d39429d89b2b93c90
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
262KB
MD586c82e84f7112605109d032f8eee2b94
SHA1f9375c45e41b7087c9181411d7d059ebb7c9cfb2
SHA256fbb518b1ac6fc71785df47586c6368f5cbcecee3a23dc28ea0d4c2b48c701a9b
SHA512c5891ce8b2a184450d3ff3a3d324052c3682e5d523b306bc664c5abdf47c77d55e150d4150d0cfaef443c9076e547571fa3d56b744b57628a26e139f264afd14
-
C:\Users\Admin\AppData\Local\Temp\lib.dllFilesize
317KB
MD55f3f06f3809d5cb7bcc9c0dabb7bdb16
SHA137ba926f731b5926c1354f4f907f72f989bf01cb
SHA2566de50b01f5ddc6faf963a499ac9c75d75f94d1565a48ef493fa599a45099b850
SHA512e17c75b4098039bda7ab4a1d1835615591dd78c51e394055cc0057d373ab846f81a163409dad82406e7543cf6c56a9d30df66690af3026cf128b15eec1c23b38
-
C:\Users\Admin\AppData\Local\Temp\nsrC90E.tmp\System.dllFilesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
memory/1808-13-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-15-0x0000000077B04000-0x0000000077B05000-memory.dmpFilesize
4KB
-
memory/1808-20-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/1808-19-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-18-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/1808-16-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/1808-14-0x0000000002640000-0x000000000264D000-memory.dmpFilesize
52KB
-
memory/1808-11-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/1808-29-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1808-30-0x0000000000920000-0x0000000000986000-memory.dmpFilesize
408KB
-
memory/2656-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2656-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3560-1-0x0000000000B90000-0x0000000000BA6000-memory.dmpFilesize
88KB
-
memory/3648-27-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-25-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-24-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-23-0x0000000000C50000-0x0000000001084000-memory.dmpFilesize
4.2MB
-
memory/3648-21-0x0000000000C50000-0x0000000001084000-memory.dmpFilesize
4.2MB
-
memory/3648-57-0x0000000004CA0000-0x0000000004CA2000-memory.dmpFilesize
8KB
-
memory/3648-56-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/3648-59-0x0000000000C50000-0x0000000001083000-memory.dmpFilesize
4.2MB
-
memory/3648-60-0x0000000001400000-0x00000000014C4000-memory.dmpFilesize
784KB
-
memory/4204-36-0x0000000000500000-0x0000000000A96000-memory.dmpFilesize
5.6MB
-
memory/4204-43-0x0000000000500000-0x0000000000A96000-memory.dmpFilesize
5.6MB
-
memory/5004-55-0x00000000732E0000-0x00000000739F7000-memory.dmpFilesize
7.1MB
-
memory/5004-61-0x00000000732E0000-0x00000000739F7000-memory.dmpFilesize
7.1MB