Analysis
-
max time kernel
99s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:17
Static task
static1
Behavioral task
behavioral1
Sample
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
Resource
win10v20201028
General
-
Target
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe
-
Size
91KB
-
MD5
b0008e752f488d7e97a8d2452411527e
-
SHA1
56d655932ebbf59bfcc49ca2afc78db16cb7b889
-
SHA256
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd
-
SHA512
667bca43c63e1602aeb61bcf72eb9dbd86ad42063cebe8dc179a46c5bea723abdaafb75b5713f3cbba5e7e610a85b1c50beb47056250016e79a1b8a03d644bdf
Malware Config
Extracted
C:\odt\782AB-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Microsoft Office\782AB-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Users\Admin\Music\782AB-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Users\Admin\Desktop\782AB-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Extracted
C:\Program Files\Microsoft Office\root\Office16\782AB-Readme.txt
netwalker
2Hamlampampom@cock.li
Galgalgalgalk@tutanota.com
Signatures
-
Detected Netwalker Ransomware 2 IoCs
Detected unpacked Netwalker executable.
Processes:
resource yara_rule behavioral2/memory/1144-1-0x0000000000CD0000-0x0000000000CEB000-memory.dmp netwalker_ransomware behavioral2/memory/3912-3-0x00000000053E0000-0x00000000053FB000-memory.dmp netwalker_ransomware -
Netwalker Ransomware
Ransomware family with multiple versions. Also known as MailTo.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DenyClose.tiff explorer.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid process 3912 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782ab46d = "C:\\Program Files (x86)\\782ab46d\\782ab46d.exe" explorer.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exedescription pid process target process PID 1144 set thread context of 3912 1144 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe -
Drops file in Program Files directory 17197 IoCs
Processes:
explorer.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\cx_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-125.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Kiss.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl explorer.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\BuildInfo.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\badge-animation_2.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\AppStore_icon.svg explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.sad.small.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\punch.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\mso0127.acl explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\VERSION.txt explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\StarClub\Help_2_2.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg explorer.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\manifest.json explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\ui-strings.js explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxSignature.p7x explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64_altform-unplated.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-200.png explorer.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML explorer.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-150.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\error-icon.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dancing.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu_back.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\TrafficWide.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\je_60x42.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\ui-strings.js explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletStoreLogo.png explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-125_contrast-black.png explorer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\782AB-Readme.txt explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Icon_Quality.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.scale-100.png explorer.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-125.png explorer.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar explorer.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-300.png explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png explorer.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_ClipAndAdd_RTL_Phone.mp4 explorer.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 684 vssadmin.exe 2388 vssadmin.exe 9592 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 17481 IoCs
Processes:
explorer.exeexplorer.exepid process 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 3912 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe 696 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exeexplorer.exepid process 1144 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe 3912 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
explorer.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 3912 explorer.exe Token: SeDebugPrivilege 696 explorer.exe Token: SeBackupPrivilege 1288 vssvc.exe Token: SeRestorePrivilege 1288 vssvc.exe Token: SeAuditPrivilege 1288 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exeexplorer.exeexplorer.exedescription pid process target process PID 1144 wrote to memory of 3912 1144 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1144 wrote to memory of 3912 1144 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 1144 wrote to memory of 3912 1144 5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe explorer.exe PID 3912 wrote to memory of 684 3912 explorer.exe vssadmin.exe PID 3912 wrote to memory of 684 3912 explorer.exe vssadmin.exe PID 3912 wrote to memory of 696 3912 explorer.exe explorer.exe PID 3912 wrote to memory of 696 3912 explorer.exe explorer.exe PID 3912 wrote to memory of 696 3912 explorer.exe explorer.exe PID 696 wrote to memory of 2388 696 explorer.exe vssadmin.exe PID 696 wrote to memory of 2388 696 explorer.exe vssadmin.exe PID 3912 wrote to memory of 9304 3912 explorer.exe notepad.exe PID 3912 wrote to memory of 9304 3912 explorer.exe notepad.exe PID 3912 wrote to memory of 9304 3912 explorer.exe notepad.exe PID 3912 wrote to memory of 9592 3912 explorer.exe vssadmin.exe PID 3912 wrote to memory of 9592 3912 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe"C:\Users\Admin\AppData\Local\Temp\5e03e3d93a456405952cdadee3018043789f118b871b93d113ce371c079f19dd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Modifies extensions of user files
- Deletes itself
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\system32\notepad.exe C:\Users\Admin\Desktop\782AB-Readme.txt3⤵
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\782AB-Readme.txtMD5
a3fe186ea9d2667ac4fdd5df1146aec7
SHA193cd90e936552a851a21f1b3844ce4d06e01d0a4
SHA256398d49039eeb1339fd5ab35a461691b393ca467d744cf29a1dfc0055aa4339dc
SHA51223417aacfae4e8b70c53246894b95b155d485f5a1ea7b3ab1813b798e049e60fcaddeb0c96ff6eaf4987950dcb34176a60c820e4af1fc43d6b02bbaf55ddfee1
-
memory/684-2-0x0000000000000000-mapping.dmp
-
memory/696-4-0x0000000000000000-mapping.dmp
-
memory/1144-1-0x0000000000CD0000-0x0000000000CEB000-memory.dmpFilesize
108KB
-
memory/2388-5-0x0000000000000000-mapping.dmp
-
memory/3912-0-0x0000000000000000-mapping.dmp
-
memory/3912-3-0x00000000053E0000-0x00000000053FB000-memory.dmpFilesize
108KB
-
memory/9304-6-0x0000000000000000-mapping.dmp
-
memory/9592-7-0x0000000000000000-mapping.dmp