Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compile.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Compile.exe
Resource
win10v20210408
General
-
Target
Compile.exe
-
Size
6.6MB
-
MD5
0063315a032fd1d3728c2f6e726a30d0
-
SHA1
9c2bc3b753ee4ce52f9d48f9d2c067cb1ce5eb24
-
SHA256
f0f3009b3d88e680f9e022575be694cb565ec8824d8d3252a8af43b00fb2dd36
-
SHA512
0c5d05c8dfdbf7f7394664054a9acd0d02ac54f7eac8e78dae2f8987583c7a66974e1fe1b4e429df710d1f0b5d6c711da96113ec0d497be14355336cf854450f
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Compile.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReceiveWait.tif => C:\Users\Admin\Pictures\ReceiveWait.tif.GoNNaCry Compile.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Compile.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "c58274b7dbb175519dd0c8eccc4fad06a2bbe7588a2850f9ac865f8bb6fa2e61c58274b7dbb175519dd0c8eccc4fad06" Compile.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot" reg.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
Compile.exedescription ioc process File created C:\Users\Admin\Favorites\Links for United States\desktop.ini Compile.exe File created C:\Users\Admin\Links\desktop.ini Compile.exe File created C:\Users\Public\Desktop\desktop.ini Compile.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini Compile.exe File created C:\Users\Admin\Downloads\desktop.ini Compile.exe File created C:\Users\Public\Documents\desktop.ini Compile.exe File created C:\Users\Public\Music\desktop.ini Compile.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini Compile.exe File created C:\Users\Public\Pictures\desktop.ini Compile.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini Compile.exe File created C:\Users\Public\Videos\desktop.ini Compile.exe File created C:\Users\Public\desktop.ini Compile.exe File created C:\Users\Admin\Pictures\desktop.ini Compile.exe File created C:\Users\Admin\Saved Games\desktop.ini Compile.exe File created C:\Users\Public\Downloads\desktop.ini Compile.exe File created C:\Users\Public\Libraries\desktop.ini Compile.exe File created C:\Users\Public\Recorded TV\desktop.ini Compile.exe File created C:\Users\Admin\Music\desktop.ini Compile.exe File created C:\Users\Admin\Desktop\desktop.ini Compile.exe File created C:\Users\Admin\Documents\desktop.ini Compile.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compile.exe File created C:\Users\Admin\Favorites\desktop.ini Compile.exe File created C:\Users\Admin\Searches\desktop.ini Compile.exe File created C:\Users\Admin\Videos\desktop.ini Compile.exe File created C:\Users\Public\Music\Sample Music\desktop.ini Compile.exe File created C:\Users\Admin\Contacts\desktop.ini Compile.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com 5 icanhazip.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000a1d996fff1a0faee4d367313a442a57cf4302d3fb292bd60f7819063b46625ac000000000e80000000020000200000002dd8287b992c7224ebbfe2f6cf6f6202fc079ef956658d8738dc3f18d006a6c690000000a6c7a20c0f234a15a5f7f594447850cdb32e98ca392872de3e7b3b8d084a50e71d5712779258d9b5e8a4166f9f63f6f1b5db2e8866e1231b3d093e556b83fd62932647034662e1893d0fedb71c0a4aea48f99478f5c5e4826a809f849b74ab305d843a51d3a9d46c0548e6926db2211d0644fb5d684bb3fd040602ef696aa0dbbbc9d45778c0d559930a14285abd4036400000000821a0345d0c5e27c19c1dbe5daeb03e461078a2bd96b60558b8a56c381f7c57dc84642d0b78d369155e5edd337c309d7902a558e2c961ab1a2bde0a37409d80 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000007b265cca46656ee4ec6eb5484bd3c3b4403d1e85ee63c45eff04ea8a554fcfc5000000000e80000000020000200000005e28f5b88ef33a6aee3d3c459c0e1509b5e7730b90885daa0437f02a2a5612f820000000883f88965d937f19527869f9ab42104041cd3c37292f815ff75af83e3a8ca47b40000000c5bb7b778ee59ee5700220d3d6f7e14a977d0fbdfb1b18923bab75aab26091485c01f1d2bfbacc6f2824bcd241a1534b1534eaef82407ac06737febba9f72049 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327125581" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{192E42B1-AEEA-11EB-8EA8-5EDBF02B0D68} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c3a9eef642d701 iexplore.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
tasklist.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1988 tasklist.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeBackupPrivilege 748 vssvc.exe Token: SeRestorePrivilege 748 vssvc.exe Token: SeAuditPrivilege 748 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 480 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 480 iexplore.exe 480 iexplore.exe 988 IEXPLORE.EXE 988 IEXPLORE.EXE 988 IEXPLORE.EXE 988 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Compile.execmd.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 1096 wrote to memory of 1988 1096 Compile.exe tasklist.exe PID 1096 wrote to memory of 1988 1096 Compile.exe tasklist.exe PID 1096 wrote to memory of 1988 1096 Compile.exe tasklist.exe PID 1096 wrote to memory of 1592 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1592 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1592 1096 Compile.exe cmd.exe PID 1592 wrote to memory of 1640 1592 cmd.exe vssadmin.exe PID 1592 wrote to memory of 1640 1592 cmd.exe vssadmin.exe PID 1592 wrote to memory of 1640 1592 cmd.exe vssadmin.exe PID 1592 wrote to memory of 1692 1592 cmd.exe WMIC.exe PID 1592 wrote to memory of 1692 1592 cmd.exe WMIC.exe PID 1592 wrote to memory of 1692 1592 cmd.exe WMIC.exe PID 1096 wrote to memory of 692 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 692 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 692 1096 Compile.exe cmd.exe PID 692 wrote to memory of 816 692 cmd.exe bcdedit.exe PID 692 wrote to memory of 816 692 cmd.exe bcdedit.exe PID 692 wrote to memory of 816 692 cmd.exe bcdedit.exe PID 1096 wrote to memory of 1208 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1208 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1208 1096 Compile.exe cmd.exe PID 1208 wrote to memory of 436 1208 cmd.exe reg.exe PID 1208 wrote to memory of 436 1208 cmd.exe reg.exe PID 1208 wrote to memory of 436 1208 cmd.exe reg.exe PID 1096 wrote to memory of 1928 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1928 1096 Compile.exe cmd.exe PID 1096 wrote to memory of 1928 1096 Compile.exe cmd.exe PID 1928 wrote to memory of 1608 1928 cmd.exe reg.exe PID 1928 wrote to memory of 1608 1928 cmd.exe reg.exe PID 1928 wrote to memory of 1608 1928 cmd.exe reg.exe PID 480 wrote to memory of 988 480 iexplore.exe IEXPLORE.EXE PID 480 wrote to memory of 988 480 iexplore.exe IEXPLORE.EXE PID 480 wrote to memory of 988 480 iexplore.exe IEXPLORE.EXE PID 480 wrote to memory of 988 480 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compile.exe"C:\Users\Admin\AppData\Local\Temp\Compile.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\GoNNaCry.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:480 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D6OABS3B.txtMD5
a20980c94204fbd753c47a4a52f48a5f
SHA156dafc4a53e790b6e55085c7253e71d0ffba4dd7
SHA2564c33326c79f9314dd94e08d08c611f27754f67002c9bfeca585b3b9f05eae73b
SHA5127d16dccaa94dcf2ee1299a932daff9ebf5094b9fcc6c74c63905e9441867dab840c824c4c236f7c37a2b138d5017433bf3ed4d529ac36a4c8ab7974b193f0ebf
-
C:\Users\Admin\Desktop\GoNNaCry.htmlMD5
2a98640cf82a2d99b18ddc74c95fbb3e
SHA1697d596afde0c0e4255b932d1f12ab33d7a25d4f
SHA2565acc15c84bfa4021b81b92512d5d37d3951d9d62c33370ff85133b4bf6454631
SHA512bdde8800ed2168ab33e5c88943979dc8ff9840b944cedb431a36f6b71268b30f505d893d4829add6cc23050fac6e32a95ed03d2c9c51774cd5f6755b82892783
-
memory/436-67-0x0000000000000000-mapping.dmp
-
memory/692-64-0x0000000000000000-mapping.dmp
-
memory/816-65-0x0000000000000000-mapping.dmp
-
memory/988-70-0x0000000000000000-mapping.dmp
-
memory/988-71-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/1208-66-0x0000000000000000-mapping.dmp
-
memory/1592-61-0x0000000000000000-mapping.dmp
-
memory/1608-69-0x0000000000000000-mapping.dmp
-
memory/1640-62-0x0000000000000000-mapping.dmp
-
memory/1692-63-0x0000000000000000-mapping.dmp
-
memory/1928-68-0x0000000000000000-mapping.dmp
-
memory/1988-60-0x0000000000000000-mapping.dmp