Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 22:11
General
-
Target
tmp/570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe
-
Size
8.4MB
-
MD5
fc878a1e87addcfc819a738f2f4b58f0
-
SHA1
3fe62a9844037951adda9aab5ce952b941033288
-
SHA256
e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f
-
SHA512
71da98d1086e4a8754d03592266e513e27a8ec4b8e252a7ca24a9278cd8eb0ed61d062a9a1b8f6b3b158c6f2b3465a1088e5b415feabf95a88f00d677ddd06e9
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 8 IoCs
-
Executes dropped EXE 7 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe"C:\Users\Admin\AppData\Local\Temp\tmp\570e1dd9-aa39-41d6-9a37-1a1ff27b803b_ra4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ra2.exe"C:\Users\Admin\AppData\Local\Temp\ra2.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Client.exe"C:\Users\Admin\Client.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 54⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 14⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeC:\Users\Admin\AppData\Roaming\Microsoft\servies.exe4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe kikgvzdagtfalr0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAYZEBsbMhk19a7AHFG2E7AaoXpwGgnL9qfF4ckLxCoO5fPm2jEdfVVBnDTVsKcr78bsf+FJAiv9UkqD3PHA/InOiEAYhRW2/oAEFHfXMVdkjhaWKsg2Ui/VNDlZrjEfnNbtHmDzkUQ230hBNYh7ZxfvuOTeg8dkgkyXdOQwbhwsJPq28iQfFX1PueXdORkCf4VucZx9baeD4MEWeJktSkHVOynOvy7XJ6mNKXnfO/doHlqoNXzZ9yBJS+rgA0257kMWTO+mq/iSyuLLOlHufNdxCuaooAte42l8WasUHsqGcVky0tLDJI0vRieQM7RiXxpnGFfsCsd7THmjaH/w72d3yTFK/O26HmnrQqmsgAIYO6eidmlIq4VnrnNaUF02+EUeXXUC+XLSypGiOPZt/u2qjQSEo2JnfQG/1t76Y5UmvcdiThqoLnxJ0iX0LglGcPw3+/OmvYZC29fJYqJidc6CGf6nKuThpimDlMir2QU69LNxGOE1rkpFoyAWPXAN4T+Cg9ybqrJ+tbpIJQe9UPCQ==5⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {293F5537-86B2-4F44-BE24-7E3036675445} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\Client.exeC:\Users\Admin\Client.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Client.exeC:\Users\Admin\Client.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYANP /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 53⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 13⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Build.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Local\Temp\Build.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Local\Temp\ra2.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\AppData\Local\Temp\ra2.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
5aff6f89f1a58c1f48873b39a6602005
SHA166c97937cf6b99ca8fa500c1345d6675061c0615
SHA2560f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158
SHA512e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
5aff6f89f1a58c1f48873b39a6602005
SHA166c97937cf6b99ca8fa500c1345d6675061c0615
SHA2560f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158
SHA512e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
C:\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
\Users\Admin\AppData\Local\Temp\Build.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
\Users\Admin\AppData\Local\Temp\ra2.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
5aff6f89f1a58c1f48873b39a6602005
SHA166c97937cf6b99ca8fa500c1345d6675061c0615
SHA2560f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158
SHA512e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600
-
\Users\Admin\AppData\Roaming\Microsoft\servies.exeMD5
19402d6c5cd427fbfc867279bd40667a
SHA172a3aaf031894dc1736bdfaa25bac181019a9398
SHA256ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994
SHA512b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618
-
\Users\Admin\Client.exeMD5
6d9a47c5bae0ee452b2076ed8b98dab4
SHA1e65b81b050d75b8dcb5374e0b39601abf55d631e
SHA25632ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
SHA512c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59
-
memory/268-142-0x0000000000000000-mapping.dmp
-
memory/520-112-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-105-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-111-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-115-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-104-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-109-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-117-0x0000000001AF0000-0x0000000001B10000-memory.dmpFilesize
128KB
-
memory/520-118-0x0000000001E00000-0x0000000001E20000-memory.dmpFilesize
128KB
-
memory/520-108-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-114-0x0000000140958000-mapping.dmp
-
memory/520-107-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/520-106-0x0000000140000000-0x000000014097B000-memory.dmpFilesize
9.5MB
-
memory/544-89-0x0000000000000000-mapping.dmp
-
memory/552-137-0x0000000000000000-mapping.dmp
-
memory/584-68-0x000000013FBA0000-0x000000013FBA1000-memory.dmpFilesize
4KB
-
memory/584-73-0x0000000000AD0000-0x0000000000AD2000-memory.dmpFilesize
8KB
-
memory/584-60-0x0000000000000000-mapping.dmp
-
memory/840-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB
-
memory/856-135-0x0000000000000000-mapping.dmp
-
memory/868-128-0x0000000000000000-mapping.dmp
-
memory/1044-98-0x00000000039C0000-0x00000000039C2000-memory.dmpFilesize
8KB
-
memory/1044-92-0x000000013FE60000-0x000000013FE61000-memory.dmpFilesize
4KB
-
memory/1044-85-0x0000000000000000-mapping.dmp
-
memory/1048-129-0x0000000000000000-mapping.dmp
-
memory/1120-70-0x0000000000000000-mapping.dmp
-
memory/1212-64-0x0000000000000000-mapping.dmp
-
memory/1284-66-0x0000000000000000-mapping.dmp
-
memory/1308-88-0x0000000000000000-mapping.dmp
-
memory/1356-138-0x0000000000000000-mapping.dmp
-
memory/1424-94-0x0000000000945000-0x0000000000956000-memory.dmpFilesize
68KB
-
memory/1424-87-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/1424-79-0x0000000000000000-mapping.dmp
-
memory/1424-116-0x0000000000956000-0x0000000000957000-memory.dmpFilesize
4KB
-
memory/1544-67-0x0000000000000000-mapping.dmp
-
memory/1552-110-0x0000000000000000-mapping.dmp
-
memory/1592-136-0x0000000000000000-mapping.dmp
-
memory/1608-113-0x0000000000000000-mapping.dmp
-
memory/1648-100-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1648-103-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/1648-96-0x0000000000000000-mapping.dmp
-
memory/1668-63-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/1668-76-0x0000000000B86000-0x0000000000B87000-memory.dmpFilesize
4KB
-
memory/1668-56-0x0000000000000000-mapping.dmp
-
memory/1668-72-0x0000000000B75000-0x0000000000B86000-memory.dmpFilesize
68KB
-
memory/1696-71-0x0000000000000000-mapping.dmp
-
memory/1728-75-0x0000000000000000-mapping.dmp
-
memory/1732-141-0x0000000000000000-mapping.dmp
-
memory/1748-74-0x0000000000000000-mapping.dmp
-
memory/1748-124-0x0000000000000000-mapping.dmp
-
memory/1760-123-0x0000000000000000-mapping.dmp
-
memory/1904-126-0x0000000000000000-mapping.dmp
-
memory/1940-83-0x0000000000000000-mapping.dmp
-
memory/1944-125-0x0000000000000000-mapping.dmp
-
memory/1944-140-0x0000000000546000-0x0000000000547000-memory.dmpFilesize
4KB
-
memory/1944-139-0x0000000000535000-0x0000000000546000-memory.dmpFilesize
68KB
-
memory/1944-131-0x0000000000000000-mapping.dmp
-
memory/1944-134-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/1956-65-0x0000000000000000-mapping.dmp
-
memory/1964-91-0x0000000000000000-mapping.dmp
-
memory/1996-90-0x0000000000000000-mapping.dmp
-
memory/2004-119-0x0000000000000000-mapping.dmp
-
memory/2004-130-0x0000000000296000-0x0000000000297000-memory.dmpFilesize
4KB
-
memory/2004-122-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2004-127-0x0000000000285000-0x0000000000296000-memory.dmpFilesize
68KB