Analysis
-
max time kernel
97s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#46.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#46.msi
Resource
win10v2004-20220812-en
General
-
Target
Scan_Invoice_12-09#46.msi
-
Size
824KB
-
MD5
eb93a0d10c8b95407415ddbfdb98e1b9
-
SHA1
74350debcdc7cfab67bcb612750fb4cb1f791649
-
SHA256
b1d89aa18cd6e5e8e007713b1f79ae72238e85211c19d403b02ace2eac464e67
-
SHA512
046ce84e6e90885419a9a1974468f7565ea9aa21945bc8987212e175178c1ce5cd61253a8b34f517fafddb307d8264361a5794a673e2e78d56df3490b66b1dff
-
SSDEEP
24576:HHL049mTn3Tp9Lol00aID/kJAHC+WPXoPcTPbgrQlRNKIg8gx:Hr04a3k00o+WPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1572 rundll32.exe 4 1572 rundll32.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1832 MsiExec.exe 2024 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe 1572 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\6c8caa.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F68.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8F68.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6c8ca7.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8EF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F68.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c8ca8.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F68.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6c8ca7.msi msiexec.exe File created C:\Windows\Installer\6c8ca8.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F68.tmp-\CustomAction.config rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 984 msiexec.exe 984 msiexec.exe 1572 rundll32.exe 1572 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeSecurityPrivilege 984 msiexec.exe Token: SeCreateTokenPrivilege 1128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1128 msiexec.exe Token: SeLockMemoryPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeMachineAccountPrivilege 1128 msiexec.exe Token: SeTcbPrivilege 1128 msiexec.exe Token: SeSecurityPrivilege 1128 msiexec.exe Token: SeTakeOwnershipPrivilege 1128 msiexec.exe Token: SeLoadDriverPrivilege 1128 msiexec.exe Token: SeSystemProfilePrivilege 1128 msiexec.exe Token: SeSystemtimePrivilege 1128 msiexec.exe Token: SeProfSingleProcessPrivilege 1128 msiexec.exe Token: SeIncBasePriorityPrivilege 1128 msiexec.exe Token: SeCreatePagefilePrivilege 1128 msiexec.exe Token: SeCreatePermanentPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 1128 msiexec.exe Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeDebugPrivilege 1128 msiexec.exe Token: SeAuditPrivilege 1128 msiexec.exe Token: SeSystemEnvironmentPrivilege 1128 msiexec.exe Token: SeChangeNotifyPrivilege 1128 msiexec.exe Token: SeRemoteShutdownPrivilege 1128 msiexec.exe Token: SeUndockPrivilege 1128 msiexec.exe Token: SeSyncAgentPrivilege 1128 msiexec.exe Token: SeEnableDelegationPrivilege 1128 msiexec.exe Token: SeManageVolumePrivilege 1128 msiexec.exe Token: SeImpersonatePrivilege 1128 msiexec.exe Token: SeCreateGlobalPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 268 vssvc.exe Token: SeRestorePrivilege 268 vssvc.exe Token: SeAuditPrivilege 268 vssvc.exe Token: SeBackupPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 1324 DrvInst.exe Token: SeLoadDriverPrivilege 1324 DrvInst.exe Token: SeLoadDriverPrivilege 1324 DrvInst.exe Token: SeLoadDriverPrivilege 1324 DrvInst.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe Token: SeTakeOwnershipPrivilege 984 msiexec.exe Token: SeRestorePrivilege 984 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1128 msiexec.exe 1128 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 984 wrote to memory of 1832 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 1832 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 1832 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 1832 984 msiexec.exe MsiExec.exe PID 984 wrote to memory of 1832 984 msiexec.exe MsiExec.exe PID 1832 wrote to memory of 2024 1832 MsiExec.exe rundll32.exe PID 1832 wrote to memory of 2024 1832 MsiExec.exe rundll32.exe PID 1832 wrote to memory of 2024 1832 MsiExec.exe rundll32.exe PID 2024 wrote to memory of 1572 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1572 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1572 2024 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#46.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 51D0A722273CE4A75CDBCF71C0B6D0522⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8F68.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7114909 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9C02.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D4" "0000000000000494"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9C02.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
C:\Windows\Installer\MSI8F68.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
\Users\Admin\AppData\Local\Temp\tmp9C02.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
\Users\Admin\AppData\Local\Temp\tmp9C02.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
\Users\Admin\AppData\Local\Temp\tmp9C02.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
\Users\Admin\AppData\Local\Temp\tmp9C02.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
\Windows\Installer\MSI8F68.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
\Windows\Installer\MSI8F68.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
memory/1128-54-0x000007FEFC211000-0x000007FEFC213000-memory.dmpFilesize
8KB
-
memory/1572-72-0x0000000000110000-0x0000000000119000-memory.dmpFilesize
36KB
-
memory/1572-66-0x0000000000000000-mapping.dmp
-
memory/1832-56-0x0000000000000000-mapping.dmp
-
memory/2024-60-0x0000000000000000-mapping.dmp
-
memory/2024-64-0x000000001A2A0000-0x000000001A310000-memory.dmpFilesize
448KB
-
memory/2024-63-0x0000000001ED0000-0x0000000001EDA000-memory.dmpFilesize
40KB
-
memory/2024-62-0x0000000001E10000-0x0000000001E3E000-memory.dmpFilesize
184KB