Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
19-04-2024 04:25
General
-
Target
da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e.exe
-
Size
4.2MB
-
MD5
dddcde977edb4bf2155d31a937e6afdc
-
SHA1
c89a34d1f3b841852ff409fc167d1431526b0596
-
SHA256
da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e
-
SHA512
fb32311a956699fcdf177834ba1d7f1cf98e4baa1998da8d0571a19805f9a3a5c116db38d9ca844197642cbaf632e5477d8abdead720a143d6a359564c0f00f9
-
SSDEEP
98304:URUBmLZ3rmtSop/fcfKtwQG3TQtt4oKMJO6VS6U7CKzh77:MxKEC/fcfKt9ykOWRUGoh77
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 20 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e.exe"C:\Users\Admin\AppData\Local\Temp\da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e.exe"C:\Users\Admin\AppData\Local\Temp\da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1520 -ip 15201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4492 -ip 44921⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ozhmvg1.g2z.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a5fca725b42c8d18511f37636fef3582
SHA1c64b4174e696f9e1c7489f798d9e2fe40b8f546b
SHA25607c4bfc607871c02f59cbec554e38ee017f0357815e8f1d347f025433abda55c
SHA512ae7a54ebbc8c7f52f414cb5f3874736b35710a253cd734813dfa5ce5474718903e28fd8cc3ce7d3e8bb3f7eec2e9762bbd028856f1cbf77c3a207bbfa08157ea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50aea0b875ecac2345403098401e974a4
SHA1e810a3cbfefc36c7f4392fc08f3d832637c88278
SHA25619845ef78c7012a09e6f26a098beb4860a502811e204d42bb1b1a1dd11f217b6
SHA5125c62a71f83aca97678750ad7480a61a69ba4dd1564ff0af2b6ece846e9d6a468a1aec129b9322c49ab88c1c305ab56983ea19dc397cba7c7c6687af5177ecdea
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD580426709219dee95237a9416a35e4e62
SHA101bb15c118fc64328271aa2ff7131ec2c00cfc07
SHA256b172a0875ae8327f33b87df53b5720bc225fac461ca8cf1bd0ed96d97c7edbba
SHA512a6c136ebd6ef2beda0b6c8f509a680bf38c8e095462a51218a34218c05947d832650df6dc753a1c9d387a156afab973c8e121d7cd5105ba01e20ad93aaa6cbdc
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5df486268fb1d309a6974782d1e99bab3
SHA1de9b74fa0aefce298e4f04f37cd33e28d3a21953
SHA256a00a5bcf4d73ec63f268a0118949f9df792b330146c1b4037abf08e52b87543d
SHA51226b9d20a870a344d41fe9e937553bc12305402c9b91e13060e0f25b638f55d6a81f995471102d5cee4701b71edb463aec05180450bcf8ed843f2adfa771315f5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD592ca70edea398cae3a32b752fd8815a9
SHA1e51eb18dd01bb1a6e0731ea92c45cc7e0bab4375
SHA25628b2261c63c35081ca6e9c62e2ebbe373db05476973b001b51d2983e1604803b
SHA512deb2f5e5845ef86d1dc269a635a4fdda17609974cbc1da448978d727ad7ec5c5633db33fef0bc11b2109c79a915a54ac8818dbab9dc966e049b6267dc382d49b
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5dddcde977edb4bf2155d31a937e6afdc
SHA1c89a34d1f3b841852ff409fc167d1431526b0596
SHA256da69f6b35f25887b22271e8351b845d67230e76d6dbf742c009c22c96a01b38e
SHA512fb32311a956699fcdf177834ba1d7f1cf98e4baa1998da8d0571a19805f9a3a5c116db38d9ca844197642cbaf632e5477d8abdead720a143d6a359564c0f00f9
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/496-137-0x000000007F420000-0x000000007F430000-memory.dmpFilesize
64KB
-
memory/496-138-0x0000000004ED0000-0x0000000004EE0000-memory.dmpFilesize
64KB
-
memory/496-127-0x00000000711E0000-0x0000000071537000-memory.dmpFilesize
3.3MB
-
memory/496-126-0x0000000070F90000-0x0000000070FDC000-memory.dmpFilesize
304KB
-
memory/496-114-0x0000000074CB0000-0x0000000075461000-memory.dmpFilesize
7.7MB
-
memory/496-116-0x0000000004ED0000-0x0000000004EE0000-memory.dmpFilesize
64KB
-
memory/496-115-0x0000000004ED0000-0x0000000004EE0000-memory.dmpFilesize
64KB
-
memory/708-81-0x0000000007A00000-0x0000000007A11000-memory.dmpFilesize
68KB
-
memory/708-85-0x0000000074CB0000-0x0000000075461000-memory.dmpFilesize
7.7MB
-
memory/708-82-0x0000000007A50000-0x0000000007A65000-memory.dmpFilesize
84KB
-
memory/708-68-0x0000000070F90000-0x0000000070FDC000-memory.dmpFilesize
304KB
-
memory/708-69-0x000000007F280000-0x000000007F290000-memory.dmpFilesize
64KB
-
memory/708-70-0x00000000711E0000-0x0000000071537000-memory.dmpFilesize
3.3MB
-
memory/708-79-0x00000000076D0000-0x0000000007774000-memory.dmpFilesize
656KB
-
memory/708-80-0x0000000005130000-0x0000000005140000-memory.dmpFilesize
64KB
-
memory/708-67-0x0000000006590000-0x00000000065DC000-memory.dmpFilesize
304KB
-
memory/708-66-0x0000000005F80000-0x00000000062D7000-memory.dmpFilesize
3.3MB
-
memory/708-57-0x0000000005130000-0x0000000005140000-memory.dmpFilesize
64KB
-
memory/708-56-0x0000000074CB0000-0x0000000075461000-memory.dmpFilesize
7.7MB
-
memory/1012-39-0x0000000007D40000-0x00000000083BA000-memory.dmpFilesize
6.5MB
-
memory/1012-4-0x0000000002C70000-0x0000000002CA6000-memory.dmpFilesize
216KB
-
memory/1012-45-0x00000000077C0000-0x00000000077D5000-memory.dmpFilesize
84KB
-
memory/1012-50-0x0000000074C10000-0x00000000753C1000-memory.dmpFilesize
7.7MB
-
memory/1012-40-0x0000000007700000-0x000000000771A000-memory.dmpFilesize
104KB
-
memory/1012-5-0x0000000074C10000-0x00000000753C1000-memory.dmpFilesize
7.7MB
-
memory/1012-37-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/1012-7-0x00000000054F0000-0x0000000005B1A000-memory.dmpFilesize
6.2MB
-
memory/1012-44-0x00000000077B0000-0x00000000077BE000-memory.dmpFilesize
56KB
-
memory/1012-24-0x000000007FBA0000-0x000000007FBB0000-memory.dmpFilesize
64KB
-
memory/1012-43-0x0000000007760000-0x0000000007771000-memory.dmpFilesize
68KB
-
memory/1012-27-0x0000000071090000-0x00000000713E7000-memory.dmpFilesize
3.3MB
-
memory/1012-25-0x0000000007580000-0x00000000075B4000-memory.dmpFilesize
208KB
-
memory/1012-41-0x0000000007740000-0x000000000774A000-memory.dmpFilesize
40KB
-
memory/1012-47-0x0000000007830000-0x0000000007838000-memory.dmpFilesize
32KB
-
memory/1012-46-0x0000000007810000-0x000000000782A000-memory.dmpFilesize
104KB
-
memory/1012-42-0x0000000007850000-0x00000000078E6000-memory.dmpFilesize
600KB
-
memory/1012-6-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/1012-36-0x00000000075C0000-0x00000000075DE000-memory.dmpFilesize
120KB
-
memory/1012-23-0x0000000007170000-0x00000000071B6000-memory.dmpFilesize
280KB
-
memory/1012-38-0x00000000075E0000-0x0000000007684000-memory.dmpFilesize
656KB
-
memory/1012-8-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB
-
memory/1012-9-0x0000000005290000-0x00000000052B2000-memory.dmpFilesize
136KB
-
memory/1012-26-0x0000000070E80000-0x0000000070ECC000-memory.dmpFilesize
304KB
-
memory/1012-10-0x0000000005330000-0x0000000005396000-memory.dmpFilesize
408KB
-
memory/1012-11-0x0000000005B90000-0x0000000005BF6000-memory.dmpFilesize
408KB
-
memory/1012-20-0x0000000005C40000-0x0000000005F97000-memory.dmpFilesize
3.3MB
-
memory/1012-21-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/1012-22-0x00000000061A0000-0x00000000061EC000-memory.dmpFilesize
304KB
-
memory/1520-52-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1520-1-0x0000000004F70000-0x000000000536F000-memory.dmpFilesize
4.0MB
-
memory/1520-2-0x0000000005370000-0x0000000005C5B000-memory.dmpFilesize
8.9MB
-
memory/1520-3-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-258-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-262-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-272-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-270-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-268-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-266-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-264-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-252-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-260-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-274-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-256-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-254-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/1632-243-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/2872-253-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2872-257-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3416-87-0x0000000074CB0000-0x0000000075461000-memory.dmpFilesize
7.7MB
-
memory/3416-101-0x0000000070F90000-0x0000000070FDC000-memory.dmpFilesize
304KB
-
memory/3416-100-0x000000007FD90000-0x000000007FDA0000-memory.dmpFilesize
64KB
-
memory/3416-88-0x00000000029C0000-0x00000000029D0000-memory.dmpFilesize
64KB
-
memory/3416-102-0x00000000711A0000-0x00000000714F7000-memory.dmpFilesize
3.3MB
-
memory/3416-98-0x0000000005950000-0x0000000005CA7000-memory.dmpFilesize
3.3MB
-
memory/3416-113-0x0000000074CB0000-0x0000000075461000-memory.dmpFilesize
7.7MB
-
memory/3416-89-0x00000000029C0000-0x00000000029D0000-memory.dmpFilesize
64KB
-
memory/4492-54-0x0000000005290000-0x0000000005B7B000-memory.dmpFilesize
8.9MB
-
memory/4492-145-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4492-55-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4492-136-0x0000000000400000-0x000000000310F000-memory.dmpFilesize
45.1MB
-
memory/4492-53-0x0000000004E80000-0x0000000005283000-memory.dmpFilesize
4.0MB
-
memory/4492-111-0x0000000004E80000-0x0000000005283000-memory.dmpFilesize
4.0MB
-
memory/4636-250-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB