Resubmissions

13/07/2023, 14:04

230713-rc9llaha43 10

11/07/2023, 09:58

230711-lzhthagb62 10

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2023, 14:04

General

  • Target

    Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe

  • Size

    1.0MB

  • MD5

    790f3266b308066cd14f9900329e6f0c

  • SHA1

    7a9aa50d276c7f8b616d1c0b5bf8fe3d9328d0fa

  • SHA256

    b2d2f116713950b0742c2cb384c0377ac414be769d317f9e246ecb66730c889d

  • SHA512

    ce45fd69dfdda994b563a4bc946bdee94dbc3a27d8909ef32fb44a5c3aa0f08af72d0daafd4adb14474918ff23a2c721b0b4a9a915c1a701ded69565f607bb44

  • SSDEEP

    24576:whlXrm7zYFdAlYobCNtwc9Vr+iUriIVP1PRXplA77RRW6:GXi7MAlYlNWcqNriIVP1PRXpwrW6

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 11 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4492
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.0.28109163\2008700094" -parentBuildID 20221007134813 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 20860 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c83df7f-8438-47b8-a5de-edeeec2e5dbd} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 1920 234c4e05458 gpu
        3⤵
          PID:804
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.1.1789040711\16726713" -parentBuildID 20221007134813 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 20896 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e37648-1a3b-4d7e-a373-1f5b820eacf4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 2356 234b7272558 socket
          3⤵
          • Checks processor information in registry
          PID:2356
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.2.1758971233\639175372" -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 3208 -prefsLen 20934 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d67cfd2-4c95-4f98-8407-a622f43ea26f} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3300 234c7cb3658 tab
          3⤵
            PID:3208
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.3.892752573\628329880" -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26359 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d75c5f1e-9d06-45e1-a311-72ae53cb34e4} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 3652 234b7269f58 tab
            3⤵
              PID:1348
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.4.948893861\1974531752" -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4608 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64744aaa-dec6-4df6-a3e6-eae281c4ebc0} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 4624 234c9caa458 tab
              3⤵
                PID:1440
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.7.786229675\410069347" -childID 6 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c676987-1feb-4771-a4f7-de02972fc11c} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5440 234c9a8a158 tab
                3⤵
                  PID:1464
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.6.264835245\438694947" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f66e19a-a4ab-4ad1-a6e0-9b01cb262ef1} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5248 234c9a89e58 tab
                  3⤵
                    PID:5060
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4816.5.398737586\705088505" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26418 -prefMapSize 232645 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a5216e6-dc46-4a78-86ac-070df94f12b5} 4816 "\\.\pipe\gecko-crash-server-pipe.4816" 5092 234c9a89b58 tab
                    3⤵
                      PID:2344
                • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
                  1⤵
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious use of SetWindowsHookEx
                  PID:3832

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\05ypapi5.default-release\activity-stream.discovery_stream.json

                        Filesize

                        148KB

                        MD5

                        1b5d1653a82dcffee311175dcc164fbc

                        SHA1

                        1d8ed433bfe1994e3b3ee790768eeddd4319a12c

                        SHA256

                        9d249a475b876914ce5b3364a9566eb8e80d3bd7ca6386fc1ec4a59a546a4587

                        SHA512

                        0624c4617490c1f7b312adf3553e7262c08889e27cddc91d9df614faac546e3024009bcc4f4cee51e01f680d5206e6c064f4e556d0d9ab9f61c62cc56badf80b

                      • C:\Users\Admin\AppData\Local\Temp\nsy9C32.tmp\System.dll

                        Filesize

                        11KB

                        MD5

                        75ed96254fbf894e42058062b4b4f0d1

                        SHA1

                        996503f1383b49021eb3427bc28d13b5bbd11977

                        SHA256

                        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

                        SHA512

                        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

                        Filesize

                        46B

                        MD5

                        c07225d4e7d01d31042965f048728a0a

                        SHA1

                        69d70b340fd9f44c89adb9a2278df84faa9906b7

                        SHA256

                        8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                        SHA512

                        23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

                        Filesize

                        46B

                        MD5

                        d898504a722bff1524134c6ab6a5eaa5

                        SHA1

                        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                        SHA256

                        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                        SHA512

                        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Filesize

                        202B

                        MD5

                        4566d1d70073cd75fe35acb78ff9d082

                        SHA1

                        f602ecc057a3c19aa07671b34b4fdd662aa033cc

                        SHA256

                        fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

                        SHA512

                        b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs-1.js

                        Filesize

                        6KB

                        MD5

                        5fb4a5b9ed048676168272676f46f6a5

                        SHA1

                        181ca1a3cd79bdc78ce82f642d6fc2212479dd26

                        SHA256

                        66ca187123b1a4c969d1b7cbb2549c2cd0332b82e175a7e5a80228572e321319

                        SHA512

                        be54d646d0969d997ef33284177ad97bc3d3824c386d526eea71542030c99ad55e667319f30ee2b104c219168d87b8808ce6b4fe96fd662bf5366aef6e122ad4

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\prefs.js

                        Filesize

                        6KB

                        MD5

                        cfdd55299f3df8fb7c08ab906991ce98

                        SHA1

                        e88241d2aa2a5bdf9b2ea74e9dd53f1938534f1a

                        SHA256

                        bdaf786c4a95be17fb4a90d8256125b417fe9f6e5497fd00c5004e44cabaace9

                        SHA512

                        07517ded2840efaf1234f8bf0ce0e8ae021d749388362655d687cfd708446fa3a80ec019b93db22e5b224f0a3f1fa198351470d4d572c7286635122e7418e540

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\sessionstore.jsonlz4

                        Filesize

                        883B

                        MD5

                        cc104f8c30653a539798ec66ed6d54ba

                        SHA1

                        343727512737c905016ff967a0715d8adba28336

                        SHA256

                        f65e21d967ccda300d34365e982e6b79c0567712fc667236ad50e3f60f8d93f6

                        SHA512

                        7dc14d6d645e8825b114470646a81ec8a6bfd2d7340e73cb84c90c9fa188732630b299e7cd6a34f16905d896c11dfcaa37f654d21e63372fd560d2693fe9ed85

                      • memory/3048-360-0x0000000077811000-0x0000000077931000-memory.dmp

                        Filesize

                        1.1MB

                      • memory/3048-362-0x0000000074670000-0x0000000074676000-memory.dmp

                        Filesize

                        24KB

                      • memory/3048-361-0x0000000077811000-0x0000000077931000-memory.dmp

                        Filesize

                        1.1MB

                      • memory/3832-311-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-317-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-307-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-308-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-309-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-305-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-303-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-300-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-310-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-304-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-312-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-313-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-314-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-315-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-316-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-306-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-318-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-319-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-320-0x00007FF83E1F0000-0x00007FF83E200000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-321-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-337-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-351-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-355-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-356-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-358-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-302-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-357-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-359-0x00007FF880750000-0x00007FF880945000-memory.dmp

                        Filesize

                        2.0MB

                      • memory/3832-301-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3832-299-0x00007FF8407D0000-0x00007FF8407E0000-memory.dmp

                        Filesize

                        64KB

                      • memory/4492-378-0x0000000001660000-0x0000000005E7A000-memory.dmp

                        Filesize

                        72.1MB

                      • memory/4492-417-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-379-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-380-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-382-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-383-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-381-0x0000000001660000-0x0000000005E7A000-memory.dmp

                        Filesize

                        72.1MB

                      • memory/4492-384-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-385-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-390-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-398-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-399-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-400-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-404-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-405-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-406-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-364-0x0000000077898000-0x0000000077899000-memory.dmp

                        Filesize

                        4KB

                      • memory/4492-363-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-413-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-415-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-416-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-377-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-418-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-419-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-420-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-422-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-423-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-424-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-425-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-427-0x0000000077811000-0x0000000077931000-memory.dmp

                        Filesize

                        1.1MB

                      • memory/4492-428-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-429-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-430-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-431-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-432-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-434-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-435-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-436-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-437-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-438-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-439-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-441-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB

                      • memory/4492-442-0x0000000000400000-0x0000000001654000-memory.dmp

                        Filesize

                        18.3MB