Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 10:41

General

  • Target

    Backdoor.Win32.Padodor.SK.exe

  • Size

    276KB

  • MD5

    d553216d5ce9f6656306e2c2b2b85fd0

  • SHA1

    845f5e392e410bdfaa2649e416ae9a50d5eae1dd

  • SHA256

    78f02ede53ea25525662d8507017c63d5c16e4b2c3ac5b6076398fb4190536ae

  • SHA512

    af2b38798b992b182c39ffff99f5f720c8ea8addd36e74856b6164b4e645a9eab6ae2ab12f5eb21a5c0d25ca1ec86db60c5b481f0279863dcffe4e854d495722

  • SSDEEP

    6144:MMs8hW0LAEAdWZHEFJ7aWN1rtMsQBOSGaF+:MN8hNEf2HEGWN1RMs1S7

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 37 IoCs
  • Drops file in System32 directory 53 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 54 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\Ajpepm32.exe
      C:\Windows\system32\Ajpepm32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\SysWOW64\Achjibcl.exe
        C:\Windows\system32\Achjibcl.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\SysWOW64\Aakjdo32.exe
          C:\Windows\system32\Aakjdo32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\Aoagccfn.exe
            C:\Windows\system32\Aoagccfn.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\SysWOW64\Bkhhhd32.exe
              C:\Windows\system32\Bkhhhd32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2752
              • C:\Windows\SysWOW64\Bdqlajbb.exe
                C:\Windows\system32\Bdqlajbb.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2700
                • C:\Windows\SysWOW64\Bqgmfkhg.exe
                  C:\Windows\system32\Bqgmfkhg.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2604
                  • C:\Windows\SysWOW64\Bnknoogp.exe
                    C:\Windows\system32\Bnknoogp.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:604
                    • C:\Windows\SysWOW64\Bieopm32.exe
                      C:\Windows\system32\Bieopm32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:568
                      • C:\Windows\SysWOW64\Bqlfaj32.exe
                        C:\Windows\system32\Bqlfaj32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2508
                        • C:\Windows\SysWOW64\Cenljmgq.exe
                          C:\Windows\system32\Cenljmgq.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1076
                          • C:\Windows\SysWOW64\Cbblda32.exe
                            C:\Windows\system32\Cbblda32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1908
                            • C:\Windows\SysWOW64\Cbdiia32.exe
                              C:\Windows\system32\Cbdiia32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2860
                              • C:\Windows\SysWOW64\Ckmnbg32.exe
                                C:\Windows\system32\Ckmnbg32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2424
                                • C:\Windows\SysWOW64\Calcpm32.exe
                                  C:\Windows\system32\Calcpm32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1752
                                  • C:\Windows\SysWOW64\Dnpciaef.exe
                                    C:\Windows\system32\Dnpciaef.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:1948
                                    • C:\Windows\SysWOW64\Dpapaj32.exe
                                      C:\Windows\system32\Dpapaj32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      PID:2228
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 144
                                        19⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Aoagccfn.exe

    Filesize

    276KB

    MD5

    06547c5c4e1e31bf6968f4dbca8eb365

    SHA1

    a3f96667715332bd589a36f97e752e44aaa753a8

    SHA256

    068f8065fe1368659f0ad51e8fe979d64946135fffa3d0f09b8ffe4e4cf43644

    SHA512

    c06d8ff43db37707f1995f41cc7f7ef08169fc8be7230e9e2b355fd41ce2f42f20942ba7d7c7ef6c560f06d915dc1f32c1b9c8e2258ce2ef4ea2370f18bb0f5d

  • C:\Windows\SysWOW64\Bqlfaj32.exe

    Filesize

    276KB

    MD5

    fb8819ce1f6682cd46c725f30610f13a

    SHA1

    41cd8c678d27db9eb864cdf81b4509cb908ff890

    SHA256

    08908fda7ff6e2265dbce75ac956598b09de140a1de213651045dd997fd03aaf

    SHA512

    9a38438f6554e66a022f60803ba10d4dc13173927ce5e1893182d3b2ffc7d32c63a360a9ee8fc3eae46267b3469c66453960b4f514bc9404c6bc176c167b35c8

  • C:\Windows\SysWOW64\Dpapaj32.exe

    Filesize

    276KB

    MD5

    685bb291ff53dd13470143bce487a823

    SHA1

    b77587fe81596fbe17d0552174d18512cb2cee4f

    SHA256

    bef8d2be5080e690d9fbf2a957f8d631a3b47ba1707e0daf2770ffe12d26dcce

    SHA512

    153727ae92a32ac390ed7a30b975b0d674dc5547493669c820a954ad213e8a01620d1beecbd9efd2a513021ad6092499bdf2b7d4aed4a38f058b251aa5b30b43

  • C:\Windows\SysWOW64\Qcamkjba.dll

    Filesize

    7KB

    MD5

    fefc798ddd40ef1e60a7c89bca5a9039

    SHA1

    f8b4d79b276a0b15916ed0de1be943981145662a

    SHA256

    d7b0ae5fa62e36febe262e360b7e162f8a0ea5df26a5fbd0a317e65553c2b3e5

    SHA512

    557d7ddaed3427f64f9dd65e0cbe26b6534d765b88fbe418017b9886c15eec4b828fce7c27e9155aa2755e2dfdb523d1c27aed666396993a3855f9cd58b8a0db

  • \Windows\SysWOW64\Aakjdo32.exe

    Filesize

    276KB

    MD5

    f3da4d3936b065d2a281842d957c7fd9

    SHA1

    839f3632af69bf1b3ca649835b83bddc8440b8bd

    SHA256

    87a28a1894517c55ee8410819b1eb4ecab497d5f4ff713386a27347cbfc99795

    SHA512

    01eb1106cb8f7e6e2c4eb484e18f9090b7565a2b97c19304ac6b8b9d7eaa1ffa132ea69d6318a9eb200e66955f82a882d5523d575a254d879b9cf541a715a02b

  • \Windows\SysWOW64\Achjibcl.exe

    Filesize

    276KB

    MD5

    1a54fa98cd774bdf3cb35b0a5fd097fd

    SHA1

    043fc2ffa89cff4e516d9eed346dd664e3bf3c2e

    SHA256

    cab05823acdd11f624ebbe2fb0f77a98b4b0688c1b2a8d6e9143c91dfdd044f1

    SHA512

    6ed53768804b9ef8e4502022b997095caba74e5864ff37c0c64751075b3accefebf7e2142b78413743b7e8629edb03e0fd530552eef762128ea6744921fd2861

  • \Windows\SysWOW64\Ajpepm32.exe

    Filesize

    276KB

    MD5

    675266cb38bbdf76270588a00badb79d

    SHA1

    b48705c2e38972b92e18bcb2bcf62c69974e5d9c

    SHA256

    c7bfd3e9c1b1752ecc00b2ad1cfceef7e015eb67983aab0e59549d06c6994564

    SHA512

    730b54ba905b3e35832c2f781934be00cac95cf7db879cead1a157940e1ef7f0eff56d2951dbebe17e4f5b13f41653ee488c4e7595dbf7f79f864cb710521d03

  • \Windows\SysWOW64\Bdqlajbb.exe

    Filesize

    276KB

    MD5

    96e6d281d6ddcabee4db193ce805485f

    SHA1

    d42c6c7d3d8711bf76287beaf64c220df666797d

    SHA256

    63142ea9869cf3741cefc9ac6942b8b43927d7687ebc01d742dffec6073af879

    SHA512

    03b9b34340616d0633e7387651ecacde0f0cb5bd2325a92184b01fcb085bbfcae48bb6d3b3975caf28d795a9e1af6a97716a5d648fea6d8cd629cb6d34561fb9

  • \Windows\SysWOW64\Bieopm32.exe

    Filesize

    276KB

    MD5

    fcd249d35c4447329708816450bfa9d7

    SHA1

    c00ab797ac313276bbfc53e449bc6d5f059fe1a2

    SHA256

    3fa376d314698d5efc2edbbd442ee8e94b388fe288bebdd7dd0e8bde72358789

    SHA512

    5fbe545b2f3236b67596185868ad251b0c45f48eced49e7b516f85117f51e9e5d5a0809aa2f089bb738c2146ec86efcdf03e393786a8a20acdc94974fa90e730

  • \Windows\SysWOW64\Bkhhhd32.exe

    Filesize

    276KB

    MD5

    7f39edfff399d8411e860e27dbaf65ff

    SHA1

    863b491e7bb16d2f0c2c087aec7712099e722e74

    SHA256

    43bcb08b003261a1d4cb2ae2f610dd61662b177e6d91296eff75f0d47c7cda51

    SHA512

    6730045de5fdcb761c79b7e82b695a0ab0b9bf7934bc826159528d4805617b0211802b3721dd6cc9350a4d35837d763d4824ebed758d8ffb866720422efe7d55

  • \Windows\SysWOW64\Bnknoogp.exe

    Filesize

    276KB

    MD5

    4a8b0ebaacaa7b85fb24a39fb360e87c

    SHA1

    3419687b1b76e84cba31e0b25bdebf98217906f3

    SHA256

    7011f9243aa77e9db098861e7ed0b99b8ef7e222b3eb602b26475d69f4321984

    SHA512

    9daff415010fe93b1c8378d5684935fce21a95ebd42f1abf572e3da6f4fe7e79a99853a80588debd3a288b2e52d226570be97e4c09e71ab8883f028abf4cdbe2

  • \Windows\SysWOW64\Bqgmfkhg.exe

    Filesize

    276KB

    MD5

    9f0f291502b37636ae50350db3646a6c

    SHA1

    fd0eb88dada3e6e883b9b6f05720725306d146b9

    SHA256

    4418593c2a56b1924c6c17a1b0d8ff3ecef5d5b5308e3286a162a2e689c147fb

    SHA512

    981cf8530d391ca3c7eab082cd085cdd99cfa8c59cdcc1489691ec0cdc7cb0cde13d323453f67359954790b3a502b71f23bf6c08ace1fb1df7363e118b0941a4

  • \Windows\SysWOW64\Calcpm32.exe

    Filesize

    276KB

    MD5

    6bb20b140c796ed8b95292c235e19db9

    SHA1

    cc9d277cc207a930c24c41eac7c9120bb1c887dd

    SHA256

    b43bd84b0a8200b28e30596b7f3604197f02b87cc8b039f67d248ce022192dd9

    SHA512

    ab63ca4d15533f362f16be6ceb8cfdc89c770a5c7540648569e624aadd8d633dc2c24389a04d3f8a3b3a661dc9d7d37ac8d8a3dd8896fec73277461db9f05ed1

  • \Windows\SysWOW64\Cbblda32.exe

    Filesize

    276KB

    MD5

    d85c009f2d0b9b1a0c8d1a95bc6cb11f

    SHA1

    8ca1222a41457979754f05368248ddf3bd5c4504

    SHA256

    fce032845639ca5c4b895be1bde7810de63df9a9222f137d461d3ccae9fc1310

    SHA512

    e9e887879044f177c472479783cc64ed57ebdcf324b0fef161d179afc4672a829d8dcf1a99c7d33d4fb0065908fb66e663a594dd40521c4c6f2fca3acdbdc0e6

  • \Windows\SysWOW64\Cbdiia32.exe

    Filesize

    276KB

    MD5

    25c747eba7a322fb8a94f5138a86231a

    SHA1

    92f4e29dccdc9f8d9d57076848a400e1bd7d5cad

    SHA256

    9c92c2ef92682f79fbc5d4c4a68da4d24575652fa95b30e785198b6d10165afe

    SHA512

    eaab2ad259fc36b073454cd3257624667ff31bb37dd45cf25eb8652f63c37559f48cb972315098ad9f3d9d0f2a4a097016525bc4d4cc78b13f3e07921e16a7f0

  • \Windows\SysWOW64\Cenljmgq.exe

    Filesize

    276KB

    MD5

    b3f44a2181f32898166066760353b41d

    SHA1

    e0e44c6bc92bf65831bda722783fc94ea21c3477

    SHA256

    e74ca9624a53080c84cb694b56fb5fc2af7a2a5f97298854e4cac82bee9249bf

    SHA512

    f5c90e4ac5f335c1b6854077cd7d5823b6cf222a619e0e57763f6b3f34b85cafef2d79c11a568c264c4827256a2fc0cb0d9daca73dd847edbc12084e1f19ff8d

  • \Windows\SysWOW64\Ckmnbg32.exe

    Filesize

    276KB

    MD5

    d6a82919752963aaab2cd11e686f0081

    SHA1

    fd819bb3c702d9ed20c2be1dcd9326fe1ccbc22c

    SHA256

    d9674383a5466df1ee86bfe9b17cbc037add8c97412c292183639955774a7656

    SHA512

    595d54d7016f3d3c3776ac01c712badec2347492d26da660b8fb914d63a2a9faedff7b0982e6c797c6bd11656e3a3bfa0bab7ccc83b410c23c10fc1d44e9f449

  • \Windows\SysWOW64\Dnpciaef.exe

    Filesize

    276KB

    MD5

    dad065fd64db527d70cf706d23261566

    SHA1

    a59f430ad8c20987ae29ec8676680b7cb19635e5

    SHA256

    8689babbbcac95aa2c65dba782a83d6eed90e237a154c4e5ab0ebc6b02be59d7

    SHA512

    a47924f3a3f8030d370958eeea22e42cc2b6cdbe4a6c6c2f604293a65490c1dfc7dab7c538293ebd03c79107f06fb782818e2a84f37f81a03aa9e308e5da4db9

  • memory/372-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/372-25-0x00000000002A0000-0x00000000002E2000-memory.dmp

    Filesize

    264KB

  • memory/568-131-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/568-143-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/568-189-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/568-175-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/604-173-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/604-114-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/604-171-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/604-127-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1076-159-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1076-172-0x0000000000260000-0x00000000002A2000-memory.dmp

    Filesize

    264KB

  • memory/1076-213-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1076-220-0x0000000000260000-0x00000000002A2000-memory.dmp

    Filesize

    264KB

  • memory/1752-252-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1752-230-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/1908-183-0x0000000000310000-0x0000000000352000-memory.dmp

    Filesize

    264KB

  • memory/1908-176-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1908-228-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1908-190-0x0000000000310000-0x0000000000352000-memory.dmp

    Filesize

    264KB

  • memory/1948-247-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1948-254-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1948-243-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/1948-253-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1948-255-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2120-52-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2120-0-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2120-6-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2228-248-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2228-256-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2424-251-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2424-214-0x0000000000310000-0x0000000000352000-memory.dmp

    Filesize

    264KB

  • memory/2480-35-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2480-80-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2480-83-0x0000000000250000-0x0000000000292000-memory.dmp

    Filesize

    264KB

  • memory/2480-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2508-145-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2508-198-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2604-153-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2604-111-0x0000000000290000-0x00000000002D2000-memory.dmp

    Filesize

    264KB

  • memory/2672-91-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2684-61-0x00000000002C0000-0x0000000000302000-memory.dmp

    Filesize

    264KB

  • memory/2684-110-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2684-54-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2684-113-0x00000000002C0000-0x0000000000302000-memory.dmp

    Filesize

    264KB

  • memory/2700-92-0x00000000002F0000-0x0000000000332000-memory.dmp

    Filesize

    264KB

  • memory/2700-84-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2700-130-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2752-128-0x0000000000370000-0x00000000003B2000-memory.dmp

    Filesize

    264KB

  • memory/2752-122-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2752-81-0x0000000000370000-0x00000000003B2000-memory.dmp

    Filesize

    264KB

  • memory/2752-68-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2860-242-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2860-205-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB

  • memory/2860-199-0x0000000000450000-0x0000000000492000-memory.dmp

    Filesize

    264KB