Analysis
-
max time kernel
203s -
max time network
207s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
28-03-2022 18:05
Static task
static1
Behavioral task
behavioral1
Sample
TopjQOYSxpfdTGMA.doc
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
TopjQOYSxpfdTGMA.doc
Resource
win10-20220223-en
General
-
Target
TopjQOYSxpfdTGMA.doc
-
Size
943KB
-
MD5
45a45e8755d528a77314b2be258614df
-
SHA1
ac76e90a575865376c80a06c9f445110ff9e8819
-
SHA256
36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925
-
SHA512
47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a
Malware Config
Extracted
hancitor
2103_punosh
http://nanogeelr.com/9/forum.php
http://ockpitehou.ru/9/forum.php
http://lumentsawfu.ru/9/forum.php
Signatures
-
Hancitor
Hancitor is downloader used to deliver other malware families.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
extrac32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2180 3404 extrac32.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2756 3404 rundll32.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 204 348 rundll32.exe WINWORD.EXE -
suricata: ET MALWARE Suspected Win32/Hancitor Checkin
suricata: ET MALWARE Suspected Win32/Hancitor Checkin
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 12 2024 rundll32.exe 15 2024 rundll32.exe 29 2188 rundll32.exe 31 2188 rundll32.exe 35 2024 rundll32.exe 36 2188 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 2024 rundll32.exe 2188 rundll32.exe 2188 rundll32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 api.ipify.org 11 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings cmd.exe -
NTFS ADS 5 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\borw4.doc:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\borw4 (2).doc:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\helf.hp_:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{C2529970-917E-4E64-9284-0953F4B4A323}\borw4.doc:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{C2529970-917E-4E64-9284-0953F4B4A323}\borw4 (2).doc:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3404 WINWORD.EXE 3404 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
rundll32.exepowershell.exerundll32.exepid process 2024 rundll32.exe 2024 rundll32.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 2188 rundll32.exe 2188 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2188 rundll32.exe 2188 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4076 powershell.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 3404 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE 348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WINWORD.EXErundll32.exepowershell.execmd.exeWINWORD.EXErundll32.exedescription pid process target process PID 3404 wrote to memory of 2152 3404 WINWORD.EXE splwow64.exe PID 3404 wrote to memory of 2152 3404 WINWORD.EXE splwow64.exe PID 3404 wrote to memory of 2180 3404 WINWORD.EXE extrac32.exe PID 3404 wrote to memory of 2180 3404 WINWORD.EXE extrac32.exe PID 3404 wrote to memory of 2756 3404 WINWORD.EXE rundll32.exe PID 3404 wrote to memory of 2756 3404 WINWORD.EXE rundll32.exe PID 2756 wrote to memory of 2024 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 2024 2756 rundll32.exe rundll32.exe PID 2756 wrote to memory of 2024 2756 rundll32.exe rundll32.exe PID 4076 wrote to memory of 3440 4076 powershell.exe cmd.exe PID 4076 wrote to memory of 3440 4076 powershell.exe cmd.exe PID 3440 wrote to memory of 348 3440 cmd.exe WINWORD.EXE PID 3440 wrote to memory of 348 3440 cmd.exe WINWORD.EXE PID 348 wrote to memory of 204 348 WINWORD.EXE rundll32.exe PID 348 wrote to memory of 204 348 WINWORD.EXE rundll32.exe PID 204 wrote to memory of 2188 204 rundll32.exe rundll32.exe PID 204 wrote to memory of 2188 204 rundll32.exe rundll32.exe PID 204 wrote to memory of 2188 204 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TopjQOYSxpfdTGMA.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SYSTEM32\extrac32.exeextrac32.exe helff.hp_2⤵
- Process spawned unexpected child process
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TopjQOYSxpfdTGMA.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS4⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe helf.hpl,YDCFOMQICNKAUXS5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD58fb27bd10dad40fe34666e7660fcf690
SHA16c5759568bba1866c41b5caee67360bcf68cfb95
SHA256b330b88925be5cb640e017a1ae1c83256455a771288cefe8bb48762c9e1ca655
SHA512fc5026e546af8c35284e605635a7587ef9a17e4dad3110d66f5a929e06b80e477358f1a526e77f1c108221e846685c9936d22050e3891c9336df3f68b9264ae0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD59ac50884db9d20ffd09f6d5dbf9b07e4
SHA1b45d68c5953929b93335595299ba355578f40c6a
SHA2567b4dd1ff87b6cb3d47166aba4fba3eb84c0afba5b736fd9eeb4994aa25565355
SHA512214e358fdb2d0e470c3e191a1854ce963be49a06a788fb9838c5d2a5fff6aca5ca4ee4fdac2b2598e9055b4f641101c5e8767a16a96b7218c0c89b12e513b2c2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\22F3F4C2-CCA6-43D2-A355-13FD210C7F2CFilesize
142KB
MD5e7a5960166d08e8da41d390478c806c5
SHA1c4cfb49f470c9fbaed81208dc77c5bf73bfd2e82
SHA2564c29fb48b764d1b0a685254b8e6c920c46914e30846373259e625e264833ddb8
SHA512df8234f49abd8e0e5a014e8de26102be1483b6768a7feec629673d651fce38b0130d5bfbb3f4d00fd39b6f92b3bda9078b2779cb210ed79c32c5117ab7b57709
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbFilesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\helff.hp_Filesize
799KB
MD50e71bc3c48b2cb1b5fcd107c2a1eb772
SHA19276387d7ba0f9a92b743c6d7cca30ce92752308
SHA256d71ba9640c1c7bb714cd772a6a8c5f62affa9230e3eb68dcdd89793452178c40
SHA512bfe545e8bedd2e7582811fbb88d6286ed23b985c68fed55340309b3baf6c85f3b8ec2b3cf4b85d65c36ceba5f034c0dc8773fc0c5d0bad7f0c8499d0b5a9fcdf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD54f9e8f18a1f1baf5ea804a27548afcba
SHA162d1e716994582884195933700a25e0c42d9cfc2
SHA2569df541d23a9faa43a04df9ff8e0baced74e4f547ad375adfc83ded6e5635bc8a
SHA51223810daccea76504054fb0d6735173cd7d3b3bddaef56934a54ac60cb1ca427cd873489e047fde47a6163eb812ae1e9c511d08206ae4a97a6beadbd7eec05606
-
\??\c:\users\admin\appdata\roaming\microsoft\templates\helf.hplFilesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hplFilesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hplFilesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hplFilesize
1.7MB
MD55df3d0f5c72cf5e5f5558d0427fbe188
SHA17f3d18d51f70b226fd93cdcc50b30f24584e54a9
SHA256446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f
SHA51285b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757
-
memory/204-700-0x0000000000000000-mapping.dmp
-
memory/348-478-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/348-481-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/348-480-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/348-479-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/348-477-0x0000000000000000-mapping.dmp
-
memory/2024-323-0x0000000000000000-mapping.dmp
-
memory/2024-325-0x0000000002D70000-0x0000000002D77000-memory.dmpFilesize
28KB
-
memory/2024-326-0x0000000002D90000-0x0000000002D98000-memory.dmpFilesize
32KB
-
memory/2152-262-0x0000000000000000-mapping.dmp
-
memory/2180-317-0x0000000000000000-mapping.dmp
-
memory/2188-704-0x0000000004070000-0x000000000422C000-memory.dmpFilesize
1.7MB
-
memory/2188-706-0x0000000000780000-0x0000000000788000-memory.dmpFilesize
32KB
-
memory/2188-701-0x0000000000000000-mapping.dmp
-
memory/2188-705-0x0000000000760000-0x0000000000767000-memory.dmpFilesize
28KB
-
memory/2756-321-0x0000000000000000-mapping.dmp
-
memory/3404-116-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-115-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-416-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-418-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-242-0x000002597510C000-0x000002597510E000-memory.dmpFilesize
8KB
-
memory/3404-117-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-417-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-114-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3404-419-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmpFilesize
64KB
-
memory/3440-475-0x0000000000000000-mapping.dmp
-
memory/4076-430-0x0000020445390000-0x0000020445392000-memory.dmpFilesize
8KB
-
memory/4076-425-0x000002042D1D0000-0x000002042D1F2000-memory.dmpFilesize
136KB
-
memory/4076-431-0x0000020445393000-0x0000020445395000-memory.dmpFilesize
8KB
-
memory/4076-448-0x00000204478A0000-0x00000204478DC000-memory.dmpFilesize
240KB
-
memory/4076-459-0x0000020447960000-0x00000204479D6000-memory.dmpFilesize
472KB