Analysis
-
max time kernel
139s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:09
Static task
static1
Behavioral task
behavioral1
Sample
11203780.msi
Resource
win7v200430
Behavioral task
behavioral2
Sample
11203780.msi
Resource
win10
General
-
Target
11203780.msi
-
Size
444KB
-
MD5
7d7c9f126169d3ad991f2b511b466e47
-
SHA1
7795bbdef40832cee08256ebe1cca0c6df8bc740
-
SHA256
75c0601db308796a7e8b5f045f908dd910a4a869cc53d544ed28726ad0eb0537
-
SHA512
cf6e5d6dad7e345b435b91736dae86d6d66ebf726925fc7d843a6c6f773e2a20a10b50ce4533ddf154f48fbc4771f4ee693fb54b0c7106017e40d3649dd95f04
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
pagejeffrey@yandex.com - Password:
$44#@weC0*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-15-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1064-16-0x0000000000446ADE-mapping.dmp family_agenttesla behavioral1/memory/1064-18-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1064-19-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
MSIF603.tmpMSIF603.tmppid process 1572 MSIF603.tmp 1064 MSIF603.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSIF603.tmpdescription pid process target process PID 1572 set thread context of 1064 1572 MSIF603.tmp MSIF603.tmp -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\1f334.msi msiexec.exe File opened for modification C:\Windows\Installer\1f334.msi msiexec.exe File created C:\Windows\Installer\1f336.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF584.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSIF603.tmp msiexec.exe File opened for modification C:\Windows\Installer\1f336.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 44 IoCs
Processes:
DrvInst.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exeMSIF603.tmppid process 1548 msiexec.exe 1548 msiexec.exe 1064 MSIF603.tmp 1064 MSIF603.tmp -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeMSIF603.tmpdescription pid process Token: SeShutdownPrivilege 1400 msiexec.exe Token: SeIncreaseQuotaPrivilege 1400 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeSecurityPrivilege 1548 msiexec.exe Token: SeCreateTokenPrivilege 1400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1400 msiexec.exe Token: SeLockMemoryPrivilege 1400 msiexec.exe Token: SeIncreaseQuotaPrivilege 1400 msiexec.exe Token: SeMachineAccountPrivilege 1400 msiexec.exe Token: SeTcbPrivilege 1400 msiexec.exe Token: SeSecurityPrivilege 1400 msiexec.exe Token: SeTakeOwnershipPrivilege 1400 msiexec.exe Token: SeLoadDriverPrivilege 1400 msiexec.exe Token: SeSystemProfilePrivilege 1400 msiexec.exe Token: SeSystemtimePrivilege 1400 msiexec.exe Token: SeProfSingleProcessPrivilege 1400 msiexec.exe Token: SeIncBasePriorityPrivilege 1400 msiexec.exe Token: SeCreatePagefilePrivilege 1400 msiexec.exe Token: SeCreatePermanentPrivilege 1400 msiexec.exe Token: SeBackupPrivilege 1400 msiexec.exe Token: SeRestorePrivilege 1400 msiexec.exe Token: SeShutdownPrivilege 1400 msiexec.exe Token: SeDebugPrivilege 1400 msiexec.exe Token: SeAuditPrivilege 1400 msiexec.exe Token: SeSystemEnvironmentPrivilege 1400 msiexec.exe Token: SeChangeNotifyPrivilege 1400 msiexec.exe Token: SeRemoteShutdownPrivilege 1400 msiexec.exe Token: SeUndockPrivilege 1400 msiexec.exe Token: SeSyncAgentPrivilege 1400 msiexec.exe Token: SeEnableDelegationPrivilege 1400 msiexec.exe Token: SeManageVolumePrivilege 1400 msiexec.exe Token: SeImpersonatePrivilege 1400 msiexec.exe Token: SeCreateGlobalPrivilege 1400 msiexec.exe Token: SeBackupPrivilege 240 vssvc.exe Token: SeRestorePrivilege 240 vssvc.exe Token: SeAuditPrivilege 240 vssvc.exe Token: SeBackupPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeRestorePrivilege 688 DrvInst.exe Token: SeLoadDriverPrivilege 688 DrvInst.exe Token: SeLoadDriverPrivilege 688 DrvInst.exe Token: SeLoadDriverPrivilege 688 DrvInst.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeRestorePrivilege 1548 msiexec.exe Token: SeTakeOwnershipPrivilege 1548 msiexec.exe Token: SeDebugPrivilege 1064 MSIF603.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1400 msiexec.exe 1400 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSIF603.tmppid process 1064 MSIF603.tmp -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
msiexec.exeMSIF603.tmpdescription pid process target process PID 1548 wrote to memory of 1572 1548 msiexec.exe MSIF603.tmp PID 1548 wrote to memory of 1572 1548 msiexec.exe MSIF603.tmp PID 1548 wrote to memory of 1572 1548 msiexec.exe MSIF603.tmp PID 1548 wrote to memory of 1572 1548 msiexec.exe MSIF603.tmp PID 1572 wrote to memory of 1460 1572 MSIF603.tmp schtasks.exe PID 1572 wrote to memory of 1460 1572 MSIF603.tmp schtasks.exe PID 1572 wrote to memory of 1460 1572 MSIF603.tmp schtasks.exe PID 1572 wrote to memory of 1460 1572 MSIF603.tmp schtasks.exe PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp PID 1572 wrote to memory of 1064 1572 MSIF603.tmp MSIF603.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\11203780.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSIF603.tmp"C:\Windows\Installer\MSIF603.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzxxmSogFmAhK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp927E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Installer\MSIF603.tmp"{path}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A8" "0000000000000584"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp927E.tmpMD5
b3f0284daaab917a86328b3339b8b463
SHA1a0593855a2eb96b0378c77e66e9ba345837f67fa
SHA2568fd32cc48b0336567a0469b4f2ba7e136ef78b59c322e15eace1004ea34cbabb
SHA512a740035edf3aea2b52f2b1577e548a0fe7ff1bbc651166967b7eff3ce9d1f728cb92a168ae65787a6e40daaa5a4917e09cc5f7cd0f9dd8da3a7e9952171732e2
-
C:\Windows\Installer\MSIF603.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSIF603.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
C:\Windows\Installer\MSIF603.tmpMD5
42013c93a1711781565cb1373a43f971
SHA115a6ee651a4d11d55c2c130295c0f53741a2be62
SHA256dcbaf7178636323a226f048b4c8f64510b5b36fbfebcdf56df543eba07bc3bd1
SHA5123b16826760380fd0cf10cd85d5cf9ded4c504e5bc9c8932e09ce88c02cc2dadf80d7198f14ff8f1dfdd52ab78a26ca7eca0c664f47ef8e790ae04cff0baf4bd9
-
memory/1064-19-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1064-18-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1064-16-0x0000000000446ADE-mapping.dmp
-
memory/1064-15-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1400-1-0x00000000040E0000-0x00000000040E4000-memory.dmpFilesize
16KB
-
memory/1400-24-0x00000000021D0000-0x00000000021D4000-memory.dmpFilesize
16KB
-
memory/1400-0-0x00000000032D0000-0x00000000032D4000-memory.dmpFilesize
16KB
-
memory/1460-13-0x0000000000000000-mapping.dmp
-
memory/1548-6-0x00000000012D0000-0x00000000012D4000-memory.dmpFilesize
16KB
-
memory/1548-5-0x00000000012D0000-0x00000000012D4000-memory.dmpFilesize
16KB
-
memory/1548-4-0x00000000017C0000-0x00000000017C4000-memory.dmpFilesize
16KB
-
memory/1548-20-0x0000000004630000-0x0000000004634000-memory.dmpFilesize
16KB
-
memory/1548-22-0x00000000012D0000-0x00000000012D4000-memory.dmpFilesize
16KB
-
memory/1548-23-0x0000000004630000-0x0000000004634000-memory.dmpFilesize
16KB
-
memory/1548-3-0x0000000000B60000-0x0000000000B62000-memory.dmpFilesize
8KB
-
memory/1572-12-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1572-8-0x0000000000000000-mapping.dmp