Analysis
-
max time kernel
1799s -
max time network
1800s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-11-2020 21:51
Static task
static1
Behavioral task
behavioral1
Sample
deed contract_11.19.2020.doc
Resource
win7v20201028
General
-
Target
deed contract_11.19.2020.doc
-
Size
104KB
-
MD5
ab684a20573095e717d981ecf1aa3628
-
SHA1
03e64be4b32f995c92d9a520e577af69ee74ac73
-
SHA256
256fb74261454862a7d60629f94cfd17111a2e94d25abd68046be2b4ed4d9b87
-
SHA512
b2aa52ad891f18ff76ddb3ba89518a1f599003d044b3e2e3525a605e467b81840286cef764c3caae128f44bfe14e2f28520d303a302076dc77b02cb147a89549
Malware Config
Signatures
-
Blacklisted process makes network request 70 IoCs
Processes:
rundll32.exeflow pid process 9 680 rundll32.exe 11 680 rundll32.exe 13 680 rundll32.exe 15 680 rundll32.exe 17 680 rundll32.exe 20 680 rundll32.exe 22 680 rundll32.exe 23 680 rundll32.exe 24 680 rundll32.exe 25 680 rundll32.exe 26 680 rundll32.exe 27 680 rundll32.exe 28 680 rundll32.exe 29 680 rundll32.exe 30 680 rundll32.exe 31 680 rundll32.exe 32 680 rundll32.exe 33 680 rundll32.exe 34 680 rundll32.exe 35 680 rundll32.exe 36 680 rundll32.exe 37 680 rundll32.exe 38 680 rundll32.exe 39 680 rundll32.exe 40 680 rundll32.exe 41 680 rundll32.exe 42 680 rundll32.exe 43 680 rundll32.exe 44 680 rundll32.exe 45 680 rundll32.exe 46 680 rundll32.exe 47 680 rundll32.exe 48 680 rundll32.exe 49 680 rundll32.exe 50 680 rundll32.exe 51 680 rundll32.exe 52 680 rundll32.exe 53 680 rundll32.exe 54 680 rundll32.exe 55 680 rundll32.exe 57 680 rundll32.exe 58 680 rundll32.exe 59 680 rundll32.exe 60 680 rundll32.exe 62 680 rundll32.exe 63 680 rundll32.exe 64 680 rundll32.exe 65 680 rundll32.exe 66 680 rundll32.exe 67 680 rundll32.exe 68 680 rundll32.exe 69 680 rundll32.exe 70 680 rundll32.exe 71 680 rundll32.exe 72 680 rundll32.exe 74 680 rundll32.exe 76 680 rundll32.exe 77 680 rundll32.exe 78 680 rundll32.exe 79 680 rundll32.exe 80 680 rundll32.exe 81 680 rundll32.exe 82 680 rundll32.exe 83 680 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
in.compid process 1152 in.com -
Loads dropped DLL 3 IoCs
Processes:
WINWORD.EXErundll32.exepid process 1040 WINWORD.EXE 1040 WINWORD.EXE 680 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEin.comdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main in.com Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 1040 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE 1040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WINWORD.EXEin.comdescription pid process target process PID 1040 wrote to memory of 1152 1040 WINWORD.EXE in.com PID 1040 wrote to memory of 1152 1040 WINWORD.EXE in.com PID 1040 wrote to memory of 1152 1040 WINWORD.EXE in.com PID 1040 wrote to memory of 1152 1040 WINWORD.EXE in.com PID 1040 wrote to memory of 1800 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1800 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1800 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 1800 1040 WINWORD.EXE splwow64.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe PID 1152 wrote to memory of 680 1152 in.com rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract_11.19.2020.doc"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\in.com"C:\Users\Admin\AppData\Local\Temp\in.com" C:\Users\Admin\AppData\Local\Temp\in.html2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp,ShowDialogA -r3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\in.comMD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a
SHA1d4f0397f83083e1c6fb0894187cc72aebcf2f34f
SHA256949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
SHA512c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f
-
C:\Users\Admin\AppData\Local\Temp\in.comMD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a
SHA1d4f0397f83083e1c6fb0894187cc72aebcf2f34f
SHA256949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
SHA512c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f
-
C:\Users\Admin\AppData\Local\Temp\in.htmlMD5
5897a9ec9e6d33494599a6f48c5ab622
SHA11451ccf5e1d28c08430b3a4bb15ee57e9d35bf6b
SHA2563d9f00f9355fb518d2104bf07c5b8068a98ee357bacea2c4610cab34b55be9e5
SHA5126693b49c6666c59bcc79aacedc95186c34c9b7890fa2a7115bd29c1d10f97c7912bdf78b05b1b5db838693da14ebb23c0f04008ae5e79d3563c6aa1db97514e0
-
C:\Users\Admin\AppData\Local\Temp\temp.tmpMD5
1296a2f1297fc4f50c7272f25a30539c
SHA13232cc880600c2afd3fc6e3f88e10b0eb7d47e13
SHA256a693a20855c3b8971ddd112a73664c2d895149ed7b9b7e0a30c35f44fed65601
SHA5123285e5976b772389da7391ee0ee8075ebe46aa5686a34b02c32e28f0e4697d963274c97bb4d6caeaec60625ced0c2aa702ec1f762ee2fa47fc0e5374f7f86219
-
\Users\Admin\AppData\Local\Temp\in.comMD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a
SHA1d4f0397f83083e1c6fb0894187cc72aebcf2f34f
SHA256949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
SHA512c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f
-
\Users\Admin\AppData\Local\Temp\in.comMD5
abdfc692d9fe43e2ba8fe6cb5a8cb95a
SHA1d4f0397f83083e1c6fb0894187cc72aebcf2f34f
SHA256949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820
SHA512c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f
-
\Users\Admin\AppData\Local\Temp\temp.tmpMD5
1296a2f1297fc4f50c7272f25a30539c
SHA13232cc880600c2afd3fc6e3f88e10b0eb7d47e13
SHA256a693a20855c3b8971ddd112a73664c2d895149ed7b9b7e0a30c35f44fed65601
SHA5123285e5976b772389da7391ee0ee8075ebe46aa5686a34b02c32e28f0e4697d963274c97bb4d6caeaec60625ced0c2aa702ec1f762ee2fa47fc0e5374f7f86219
-
memory/680-12-0x0000000000000000-mapping.dmp
-
memory/1040-3-0x00000000003C7000-0x00000000003CB000-memory.dmpFilesize
16KB
-
memory/1040-0-0x0000000004D7D000-0x0000000004D82000-memory.dmpFilesize
20KB
-
memory/1040-2-0x00000000003C7000-0x00000000003CB000-memory.dmpFilesize
16KB
-
memory/1040-1-0x0000000000427000-0x000000000042A000-memory.dmpFilesize
12KB
-
memory/1040-17-0x0000000007F90000-0x0000000007F94000-memory.dmpFilesize
16KB
-
memory/1040-18-0x0000000007F90000-0x0000000007F94000-memory.dmpFilesize
16KB
-
memory/1040-19-0x0000000007B90000-0x0000000007B94000-memory.dmpFilesize
16KB
-
memory/1152-6-0x0000000000000000-mapping.dmp
-
memory/1664-10-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmpFilesize
2.5MB
-
memory/1800-8-0x0000000000000000-mapping.dmp