Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 08:01
Static task
static1
Behavioral task
behavioral1
Sample
56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe
Resource
win7-20221111-en
General
-
Target
56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe
-
Size
2.5MB
-
MD5
fbd003feca3b6eb908b77fe9a564f935
-
SHA1
3ec2763006f7e8532fbe53bc9ef624271187e83c
-
SHA256
56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d
-
SHA512
c21872dc910f512b88b2291e3623bc518e1a75e6ce3cca907ec3f91edc22e99be18e659c10565e60800d635140fdf6b6d9bda2dffedc9570ab31da42526e8f13
-
SSDEEP
49152:h1OsOiyHB4gGmE0PSZ+MtfLTzgv6eIWYboKQCPzrP10S6T+7qnxai:h1OqyhFh2Y6ehDl
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
RxEfFqmvhE6tBxI.exepid process 4840 RxEfFqmvhE6tBxI.exe -
Loads dropped DLL 3 IoCs
Processes:
RxEfFqmvhE6tBxI.exeregsvr32.exeregsvr32.exepid process 4840 RxEfFqmvhE6tBxI.exe 1196 regsvr32.exe 1668 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
RxEfFqmvhE6tBxI.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgjgcigikaibciopcbchkbfdofkjknn\2.0\manifest.json RxEfFqmvhE6tBxI.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgjgcigikaibciopcbchkbfdofkjknn\2.0\manifest.json RxEfFqmvhE6tBxI.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgjgcigikaibciopcbchkbfdofkjknn\2.0\manifest.json RxEfFqmvhE6tBxI.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgjgcigikaibciopcbchkbfdofkjknn\2.0\manifest.json RxEfFqmvhE6tBxI.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfgjgcigikaibciopcbchkbfdofkjknn\2.0\manifest.json RxEfFqmvhE6tBxI.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeRxEfFqmvhE6tBxI.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects RxEfFqmvhE6tBxI.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ RxEfFqmvhE6tBxI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} RxEfFqmvhE6tBxI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} RxEfFqmvhE6tBxI.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe -
Drops file in System32 directory 4 IoCs
Processes:
RxEfFqmvhE6tBxI.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini RxEfFqmvhE6tBxI.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol RxEfFqmvhE6tBxI.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI RxEfFqmvhE6tBxI.exe File opened for modification C:\Windows\System32\GroupPolicy RxEfFqmvhE6tBxI.exe -
Drops file in Program Files directory 8 IoCs
Processes:
RxEfFqmvhE6tBxI.exedescription ioc process File opened for modification C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.tlb RxEfFqmvhE6tBxI.exe File created C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.dat RxEfFqmvhE6tBxI.exe File opened for modification C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.dat RxEfFqmvhE6tBxI.exe File created C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dll RxEfFqmvhE6tBxI.exe File opened for modification C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dll RxEfFqmvhE6tBxI.exe File created C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.dll RxEfFqmvhE6tBxI.exe File opened for modification C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.dll RxEfFqmvhE6tBxI.exe File created C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.tlb RxEfFqmvhE6tBxI.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
RxEfFqmvhE6tBxI.exepid process 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe 4840 RxEfFqmvhE6tBxI.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RxEfFqmvhE6tBxI.exedescription pid process Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe Token: SeDebugPrivilege 4840 RxEfFqmvhE6tBxI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exeRxEfFqmvhE6tBxI.exeregsvr32.exedescription pid process target process PID 4800 wrote to memory of 4840 4800 56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe RxEfFqmvhE6tBxI.exe PID 4800 wrote to memory of 4840 4800 56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe RxEfFqmvhE6tBxI.exe PID 4800 wrote to memory of 4840 4800 56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe RxEfFqmvhE6tBxI.exe PID 4840 wrote to memory of 1196 4840 RxEfFqmvhE6tBxI.exe regsvr32.exe PID 4840 wrote to memory of 1196 4840 RxEfFqmvhE6tBxI.exe regsvr32.exe PID 4840 wrote to memory of 1196 4840 RxEfFqmvhE6tBxI.exe regsvr32.exe PID 1196 wrote to memory of 1668 1196 regsvr32.exe regsvr32.exe PID 1196 wrote to memory of 1668 1196 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe"C:\Users\Admin\AppData\Local\Temp\56cfc2df6d5af30cdd38239d8fd47e64f98c4344aab18308ba6d12f84b33909d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\RxEfFqmvhE6tBxI.exe.\RxEfFqmvhE6tBxI.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.datFilesize
6KB
MD5bd3c9fab834f6b24b6e6f07f865ef502
SHA170f14c03a09d07aa2c06fc9a2f4f56d0023a69b3
SHA2564034098abe17ff3d3e72ad47d19073cf6fec14bf4cbc6368a7b4d56f94360915
SHA512c421c8b6d519a35ba17939104ab81edd154f627c88c81d97dc256e824cd58cbd7bd81e32ecf0d0274a1639b3b8b7465dc17690fdff1592e520d95b00cb8342ec
-
C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.dllFilesize
748KB
MD51ca481949deaf0f51a56a93c234861f1
SHA11134420ed16e60893ca65f2f57e3c6e04b21c270
SHA2567153a847723ae0a70cce26177053b5841d581df510ef37793daec3adc07ccf54
SHA5124db1709265c2891e5e14f7128d81397b8ba4a4b055fe83b42dd3eee605b3f700195abe9b56e2ad0db4c57fd7718ce230ec9bb433478c0a501cfb725279712b7b
-
C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dllFilesize
882KB
MD59e1279cf0c4e86aa35b82120d6dd1a95
SHA19815d3a88e471f21a737aab6a29140d0957c3fd8
SHA256191fa9f0ea2cca96c521a142054f3ab9a6ce940f3cbd8e18a7d654702982e722
SHA5124c117fc1e91664b4dadf7566fb485c132ff41fda3dbb8a878ca7bc5659984fee7ef1f10aeeb6e1e3f9bb284c439458f7f5a37be897c7d9ab1e585b982c422b3f
-
C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dllFilesize
882KB
MD59e1279cf0c4e86aa35b82120d6dd1a95
SHA19815d3a88e471f21a737aab6a29140d0957c3fd8
SHA256191fa9f0ea2cca96c521a142054f3ab9a6ce940f3cbd8e18a7d654702982e722
SHA5124c117fc1e91664b4dadf7566fb485c132ff41fda3dbb8a878ca7bc5659984fee7ef1f10aeeb6e1e3f9bb284c439458f7f5a37be897c7d9ab1e585b982c422b3f
-
C:\Program Files (x86)\GoSave\QOaoFop2GXlA08.x64.dllFilesize
882KB
MD59e1279cf0c4e86aa35b82120d6dd1a95
SHA19815d3a88e471f21a737aab6a29140d0957c3fd8
SHA256191fa9f0ea2cca96c521a142054f3ab9a6ce940f3cbd8e18a7d654702982e722
SHA5124c117fc1e91664b4dadf7566fb485c132ff41fda3dbb8a878ca7bc5659984fee7ef1f10aeeb6e1e3f9bb284c439458f7f5a37be897c7d9ab1e585b982c422b3f
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\QOaoFop2GXlA08.dllFilesize
748KB
MD51ca481949deaf0f51a56a93c234861f1
SHA11134420ed16e60893ca65f2f57e3c6e04b21c270
SHA2567153a847723ae0a70cce26177053b5841d581df510ef37793daec3adc07ccf54
SHA5124db1709265c2891e5e14f7128d81397b8ba4a4b055fe83b42dd3eee605b3f700195abe9b56e2ad0db4c57fd7718ce230ec9bb433478c0a501cfb725279712b7b
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\QOaoFop2GXlA08.tlbFilesize
3KB
MD59a3543a4a711535be41cdf43891473ab
SHA126bd85cb2e3f87dcbe9a068288d25a1789ac8cd9
SHA25690657278e4df14fb4ef11c816f46da8c7065e6c8bce82ac7460ac710acbdfb4e
SHA5124524ff44b9cbb426d0a0a422d8d60cddb315e8e94583eff58087086f2892cc9892102752a2a4f9a8f490da446443ec1c00d2b44dde0f5ef5a35df21f42424393
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\QOaoFop2GXlA08.x64.dllFilesize
882KB
MD59e1279cf0c4e86aa35b82120d6dd1a95
SHA19815d3a88e471f21a737aab6a29140d0957c3fd8
SHA256191fa9f0ea2cca96c521a142054f3ab9a6ce940f3cbd8e18a7d654702982e722
SHA5124c117fc1e91664b4dadf7566fb485c132ff41fda3dbb8a878ca7bc5659984fee7ef1f10aeeb6e1e3f9bb284c439458f7f5a37be897c7d9ab1e585b982c422b3f
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\RxEfFqmvhE6tBxI.datFilesize
6KB
MD5bd3c9fab834f6b24b6e6f07f865ef502
SHA170f14c03a09d07aa2c06fc9a2f4f56d0023a69b3
SHA2564034098abe17ff3d3e72ad47d19073cf6fec14bf4cbc6368a7b4d56f94360915
SHA512c421c8b6d519a35ba17939104ab81edd154f627c88c81d97dc256e824cd58cbd7bd81e32ecf0d0274a1639b3b8b7465dc17690fdff1592e520d95b00cb8342ec
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\RxEfFqmvhE6tBxI.exeFilesize
767KB
MD53203eb75ecc86e65cc98bf0124019293
SHA1a9875dff1cf76e2464788faa3abf626049a0e15e
SHA2569b31da07e9e9fe024f5f3682a8cf0d981b90b3a74816a845e2d5bfa398f7f318
SHA5125268dd62d791c3bb8aea6d927b172c3353bc4c48678810eb55c8f75d30b0dd84a8923e566dd7268f5219b5997be3d10fbb60dd4c10766dfdc36f1737dcd15df8
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\RxEfFqmvhE6tBxI.exeFilesize
767KB
MD53203eb75ecc86e65cc98bf0124019293
SHA1a9875dff1cf76e2464788faa3abf626049a0e15e
SHA2569b31da07e9e9fe024f5f3682a8cf0d981b90b3a74816a845e2d5bfa398f7f318
SHA5125268dd62d791c3bb8aea6d927b172c3353bc4c48678810eb55c8f75d30b0dd84a8923e566dd7268f5219b5997be3d10fbb60dd4c10766dfdc36f1737dcd15df8
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\[email protected]\chrome.manifestFilesize
35B
MD5f62efb14928495491dc888a8e08600d5
SHA1e92fe2e157fefc2eeaf4b12e6dbb8299e2a8181d
SHA256f59b98da02ff7ccd485cfac357874fe3536361f4db42b0b8cbdf135367907b49
SHA512858659deca2660420d031038bed953188eb297dc68596eeda576ea402181727d59578baf09db94623469981e3a7fcb16b6285210bddfb5966a992b31dd7f80a2
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\[email protected]\content\bg.jsFilesize
7KB
MD501cb71ead9761bc8b86185ef7645831d
SHA125d211f8c185154278bb8b3319a54d426921662b
SHA25672788efb60147797bee1d05b9bbd53584ff815d79dcc00483ae147fe3162c131
SHA5124e9e2d1db1aba468de2607e84b0c9c29ab9faa3e1489fdca1d8343b9ac7fdd790f0529f0abea12705bf2acf7fe4e16e80525fbcb029a99fc40c5055c00522acf
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\[email protected]\install.rdfFilesize
599B
MD557f93901e23c77f4b5268350ed45462a
SHA1bc77dcce67b304e6e1363c4cbe23fa76b6462b65
SHA256331adaea270ed4c224a59c41389b936c1662b97fc5187f9c3968e62e4f6fe3e7
SHA5121c8020cffb6589e5222ea573889cc4c4f11ae471ac02749889b97fc8cffcdaf0339f11162a0644b34d1bcd15e574cba5f743f6a958946edd5730c5135e867b23
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\cfgjgcigikaibciopcbchkbfdofkjknn\background.htmlFilesize
144B
MD5fa24f757a52d8ffd4d2c10be67c36f9a
SHA10992b0d2ffa1df24a69ca8b15f75b9f97edb44da
SHA2563211f622f2e00bd4b76bb5277a366c48b78e6e5bc404f8abcbbaad5cd8195e9c
SHA5124b009225a9497d72e5c01fdaa5d25c986d204397f47df234836eec6dc2dcc1c5f214fa27996e7c6bc25ac04edce642113697dd6b973b067e74f7c377a08940a5
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\cfgjgcigikaibciopcbchkbfdofkjknn\biHbA5d.jsFilesize
5KB
MD54ebb03ae4e83a9ec945a6daffc9586fa
SHA1c1e0727040410a08e695a48004343236389461f0
SHA25617bfd8d0e95c00d5957647df2d348e46ac319c41966adfd365878be692d86317
SHA512729869efd384c014beee9303c043995e3287f65fe662a009ca1e4bb7aa71f908e15fa2784b70dbe5d1112e54c88d6efd6003bebb8f9728140300a75c46bc52f1
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\cfgjgcigikaibciopcbchkbfdofkjknn\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\cfgjgcigikaibciopcbchkbfdofkjknn\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSFF64.tmp\cfgjgcigikaibciopcbchkbfdofkjknn\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
memory/1196-149-0x0000000000000000-mapping.dmp
-
memory/1668-152-0x0000000000000000-mapping.dmp
-
memory/4840-132-0x0000000000000000-mapping.dmp