Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-05-2024 11:28
General
-
Target
76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab.exe
-
Size
4.1MB
-
MD5
c0f11ac7de53abae09153bd3b30564e8
-
SHA1
76795db7c36e2a8e8b865411cb91f64804bf4a50
-
SHA256
76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab
-
SHA512
f331487417b10c5a6580b360b32dd7b0419aafdf8df8e2450dba5133889e8b743c8beca7d9e01d2358876eafa76765fea886574d570f33afcc76f334c1929bf3
-
SSDEEP
98304:taldxVYbeltggr6p7qKtgoJu9O6Qxc6qPeInuZKahKn+3QE:ixq6ggrt/os9O/WxuFhK+AE
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 18 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab.exe"C:\Users\Admin\AppData\Local\Temp\76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab.exe"C:\Users\Admin\AppData\Local\Temp\76e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcc5x3sj.4f5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53da0f18cf394febb162de0e023c15cd4
SHA17412efd6f7aadd8d24531cb0a2930541b6e3c0ef
SHA25652b98f50ba210f931011552b5ccc95d0e4ca6ebae272e577918e478ed672576f
SHA512980c37eb96d96869b2bcb3717a0ec8a6aff99cc89da7069cf2e3310f8c701452fc41a965a673ea7c90a0386b9779b70d653071e60b3b8767465badfba48829bf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b64c8e9a8138040d720dc376c69a62ce
SHA1e269e2eb640b89e114d716daa1b65ccc4a913f35
SHA256f5e6a18abf0427df5cd3081352bfb64cef0a6cbb11cd8ed0d30b38bbedb15aea
SHA51280b7a1485ca6a02cfde41d0f57dad09de8175a539188b01c23064c9e076c74e0ad9b15d6c87f947def0dd6f19a3d27f3eeb312a214d9bc108dde550d9eae6fa3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56c9d11a098811fc1ca34fe39c04c5c4d
SHA1388bfbd389131c36b5a99823e26ecf4ca0cd81a1
SHA2561b86dac86077494013157a6da64509bbfd44dce3511103b90fe24455e03ed2bb
SHA51226350cfd0f299aa0e8ff31971acc0c52b0fd0f455c6b6da2716358beb09a2930e175387373f790b67532a2733ea955d16ef05477af53b6fc7e1e51bab04c92c4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d03e220d7c30a539561910419c4be526
SHA1257442e049018a5b4b8402afab478f8bc0833cf6
SHA256925d18c9f66db1423ccddbe49fea869ca175e53505de4f2dc1e6d368fd4594f2
SHA5126064e5554a09bb71b3001efd250b15b7e11220d7ef4268374fdf387ad40540adb9f0251f59d54bea546b16283dea2b9383ad526d4cc0dca6eee7eff385eced71
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD540a609bd434254b2ae4e5e8f5572bb89
SHA1dcf9181d14d74752faec0d13f70604722a0f6f07
SHA256c46305a4fcde933972c49ba18b169f2cc195e74b7631433f7a07dea21676a6c2
SHA51218316a6cb139241edad683fd4d77bfe72c34c111d8e50a27f48829207b43555e76e1d16ab58e472032f330ea09e556f9b338e8a9d43e2014755a045f51bcbd80
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5c0f11ac7de53abae09153bd3b30564e8
SHA176795db7c36e2a8e8b865411cb91f64804bf4a50
SHA25676e6ba0131add4cbf881c08373452d63a5ca3e61f4a4f161583709fc9657a7ab
SHA512f331487417b10c5a6580b360b32dd7b0419aafdf8df8e2450dba5133889e8b743c8beca7d9e01d2358876eafa76765fea886574d570f33afcc76f334c1929bf3
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/648-51-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/648-31-0x00000000045D0000-0x00000000049CF000-memory.dmpFilesize
4.0MB
-
memory/648-2-0x00000000049D0000-0x00000000052BB000-memory.dmpFilesize
8.9MB
-
memory/648-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/648-4-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/648-35-0x00000000049D0000-0x00000000052BB000-memory.dmpFilesize
8.9MB
-
memory/648-1-0x00000000045D0000-0x00000000049CF000-memory.dmpFilesize
4.0MB
-
memory/648-59-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/648-26-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/1412-123-0x0000000070A00000-0x0000000070A4C000-memory.dmpFilesize
304KB
-
memory/1412-124-0x0000000070B80000-0x0000000070ED4000-memory.dmpFilesize
3.3MB
-
memory/1784-260-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1784-248-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1784-234-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1784-240-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2124-72-0x0000000070B80000-0x0000000070ED4000-memory.dmpFilesize
3.3MB
-
memory/2124-85-0x0000000007630000-0x0000000007644000-memory.dmpFilesize
80KB
-
memory/2124-70-0x0000000005B50000-0x0000000005EA4000-memory.dmpFilesize
3.3MB
-
memory/2124-71-0x0000000070A00000-0x0000000070A4C000-memory.dmpFilesize
304KB
-
memory/2124-82-0x00000000072D0000-0x0000000007373000-memory.dmpFilesize
652KB
-
memory/2124-84-0x00000000075C0000-0x00000000075D1000-memory.dmpFilesize
68KB
-
memory/2356-206-0x00000000710D0000-0x0000000071424000-memory.dmpFilesize
3.3MB
-
memory/2356-205-0x0000000070920000-0x000000007096C000-memory.dmpFilesize
304KB
-
memory/2620-167-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-219-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-230-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-239-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-243-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-247-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-251-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-255-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/2620-259-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/3632-181-0x00000000710D0000-0x0000000071424000-memory.dmpFilesize
3.3MB
-
memory/3632-173-0x0000000006210000-0x0000000006564000-memory.dmpFilesize
3.3MB
-
memory/3632-193-0x00000000066E0000-0x00000000066F4000-memory.dmpFilesize
80KB
-
memory/3632-192-0x0000000007CD0000-0x0000000007CE1000-memory.dmpFilesize
68KB
-
memory/3632-191-0x0000000007B50000-0x0000000007BF3000-memory.dmpFilesize
652KB
-
memory/3632-180-0x0000000070920000-0x000000007096C000-memory.dmpFilesize
304KB
-
memory/3632-179-0x0000000006DE0000-0x0000000006E2C000-memory.dmpFilesize
304KB
-
memory/3852-97-0x0000000005630000-0x0000000005984000-memory.dmpFilesize
3.3MB
-
memory/3852-101-0x0000000070A00000-0x0000000070A4C000-memory.dmpFilesize
304KB
-
memory/3852-102-0x00000000711A0000-0x00000000714F4000-memory.dmpFilesize
3.3MB
-
memory/4436-48-0x00000000075A0000-0x00000000075AA000-memory.dmpFilesize
40KB
-
memory/4436-30-0x0000000007290000-0x00000000072AA000-memory.dmpFilesize
104KB
-
memory/4436-58-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4436-47-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4436-5-0x0000000074B6E000-0x0000000074B6F000-memory.dmpFilesize
4KB
-
memory/4436-6-0x0000000002840000-0x0000000002876000-memory.dmpFilesize
216KB
-
memory/4436-46-0x00000000074B0000-0x0000000007553000-memory.dmpFilesize
652KB
-
memory/4436-7-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4436-8-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4436-34-0x0000000070DF0000-0x0000000071144000-memory.dmpFilesize
3.3MB
-
memory/4436-50-0x00000000075C0000-0x00000000075D1000-memory.dmpFilesize
68KB
-
memory/4436-45-0x0000000007450000-0x000000000746E000-memory.dmpFilesize
120KB
-
memory/4436-52-0x0000000007600000-0x000000000760E000-memory.dmpFilesize
56KB
-
memory/4436-53-0x0000000007610000-0x0000000007624000-memory.dmpFilesize
80KB
-
memory/4436-33-0x0000000070A00000-0x0000000070A4C000-memory.dmpFilesize
304KB
-
memory/4436-54-0x0000000007700000-0x000000000771A000-memory.dmpFilesize
104KB
-
memory/4436-55-0x0000000007640000-0x0000000007648000-memory.dmpFilesize
32KB
-
memory/4436-9-0x0000000005010000-0x0000000005638000-memory.dmpFilesize
6.2MB
-
memory/4436-32-0x0000000007470000-0x00000000074A2000-memory.dmpFilesize
200KB
-
memory/4436-49-0x0000000007660000-0x00000000076F6000-memory.dmpFilesize
600KB
-
memory/4436-29-0x00000000078E0000-0x0000000007F5A000-memory.dmpFilesize
6.5MB
-
memory/4436-28-0x0000000007190000-0x0000000007206000-memory.dmpFilesize
472KB
-
memory/4436-27-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/4436-25-0x00000000063A0000-0x00000000063E4000-memory.dmpFilesize
272KB
-
memory/4436-10-0x0000000004E50000-0x0000000004E72000-memory.dmpFilesize
136KB
-
memory/4436-24-0x0000000005F70000-0x0000000005FBC000-memory.dmpFilesize
304KB
-
memory/4436-23-0x0000000005ED0000-0x0000000005EEE000-memory.dmpFilesize
120KB
-
memory/4436-11-0x0000000005640000-0x00000000056A6000-memory.dmpFilesize
408KB
-
memory/4436-18-0x00000000057E0000-0x0000000005B34000-memory.dmpFilesize
3.3MB
-
memory/4436-12-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/4504-155-0x0000000071180000-0x00000000714D4000-memory.dmpFilesize
3.3MB
-
memory/4504-154-0x0000000070A00000-0x0000000070A4C000-memory.dmpFilesize
304KB
-
memory/4504-151-0x0000000005700000-0x0000000005A54000-memory.dmpFilesize
3.3MB
-
memory/4688-236-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4688-231-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4912-83-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB
-
memory/4912-140-0x0000000000400000-0x000000000295D000-memory.dmpFilesize
37.4MB