Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 03:44

General

  • Target

    bbebdf7c87f1cd2fe758a8cda3c1e77c0035a4b3fc72988e89863ebadc9eded0.exe

  • Size

    96KB

  • MD5

    7b854adda7f895a88f11c48bf0ac472a

  • SHA1

    7e726c6107f14823455901e55a23114229cae363

  • SHA256

    bbebdf7c87f1cd2fe758a8cda3c1e77c0035a4b3fc72988e89863ebadc9eded0

  • SHA512

    ef42379e9ad4dbdfc198d8f9fa57d5df810d8638eb384df037eb13d313d4f1c76a44498ddfbce9603ff39ed17af503bde0ead07a37cc68106459e42471f7be2d

  • SSDEEP

    1536:eyQalItFxx3VEuEfvjEoawN+kQPyJbTb2q/BOm2cCMy0QiLiizHNQNdq:jHlU3fUskQ6Jb/D5OmtCMyELiAHONdq

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 38 IoCs
  • Drops file in System32 directory 51 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 54 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbebdf7c87f1cd2fe758a8cda3c1e77c0035a4b3fc72988e89863ebadc9eded0.exe
    "C:\Users\Admin\AppData\Local\Temp\bbebdf7c87f1cd2fe758a8cda3c1e77c0035a4b3fc72988e89863ebadc9eded0.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\SysWOW64\Johlpoij.exe
      C:\Windows\system32\Johlpoij.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\Kkomepon.exe
        C:\Windows\system32\Kkomepon.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\Kekkkm32.exe
          C:\Windows\system32\Kekkkm32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\Kgjgepqm.exe
            C:\Windows\system32\Kgjgepqm.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\SysWOW64\Khnqbhdi.exe
              C:\Windows\system32\Khnqbhdi.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2996
              • C:\Windows\SysWOW64\Lhpmhgbf.exe
                C:\Windows\system32\Lhpmhgbf.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2588
                • C:\Windows\SysWOW64\Lhbjmg32.exe
                  C:\Windows\system32\Lhbjmg32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2304
                  • C:\Windows\SysWOW64\Lkccob32.exe
                    C:\Windows\system32\Lkccob32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2116
                    • C:\Windows\SysWOW64\Lndlamke.exe
                      C:\Windows\system32\Lndlamke.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:580
                      • C:\Windows\SysWOW64\Mcendc32.exe
                        C:\Windows\system32\Mcendc32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2968
                        • C:\Windows\SysWOW64\Mkqbhf32.exe
                          C:\Windows\system32\Mkqbhf32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2540
                          • C:\Windows\SysWOW64\Mfhcknpf.exe
                            C:\Windows\system32\Mfhcknpf.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1704
                            • C:\Windows\SysWOW64\Ngoinfao.exe
                              C:\Windows\system32\Ngoinfao.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2908
                              • C:\Windows\SysWOW64\Nmnoll32.exe
                                C:\Windows\system32\Nmnoll32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:368
                                • C:\Windows\SysWOW64\Nbmcjc32.exe
                                  C:\Windows\system32\Nbmcjc32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2168
                                  • C:\Windows\SysWOW64\Olgehh32.exe
                                    C:\Windows\system32\Olgehh32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:340
                                    • C:\Windows\SysWOW64\Ohnemidj.exe
                                      C:\Windows\system32\Ohnemidj.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:1056
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 140
                                        19⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:1816

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Khnqbhdi.exe

          Filesize

          96KB

          MD5

          6dca49eee1517d15108958ee829f062d

          SHA1

          59c901e3c13edd0243bf74230f2500c74e62e622

          SHA256

          5b8921874f2c1e6a241ad5cbcf2a86196113445008fb0961328d466e2e3a6241

          SHA512

          749f7b67768422ad49b0a2a59ee0f0422bc2213d78c55e015cc7da6dfd2ecf445435d80bcc89d19f108add731ca79902cb24c7ebe41d3af8c1992da89b007a7c

        • C:\Windows\SysWOW64\Nnoaan32.dll

          Filesize

          7KB

          MD5

          68deac9fd989a4ec0eb0aacd81f97908

          SHA1

          b2f185e6d8bff7e51745f3af26466a7dd943b2cc

          SHA256

          5d1fd4d7dcf25932c2e76cfd8135e87ec558cb7a3019bb57eecce0a7e404361d

          SHA512

          e1ae69fd9635823383894ca133194e9f821b4474dbf5aa7d5d04f720b7f39ce7ec6005fc31729a0188c956f215e97ae27a194b1e8502761133d08181d53c117c

        • C:\Windows\SysWOW64\Ohnemidj.exe

          Filesize

          96KB

          MD5

          dd809b90e367bf56352bff9cad517b36

          SHA1

          c2d94e687c7f6fc66806ccbdc640e7484045f1d5

          SHA256

          d3474795497887cc9cbebda2c81f4ecf1648996dd82093f2031272b268dda38c

          SHA512

          1310d263aa914c43e638332177329e29044f7106c58bced05f3ea720adf1d0b6dcda2d373003eeee7f112c12c6d8bfa0cf62cfb0f84e66bfe33edaf330af55af

        • \Windows\SysWOW64\Johlpoij.exe

          Filesize

          96KB

          MD5

          8eba0e955cb2f9e1e5210f755b165266

          SHA1

          ae6f7b0190c1dad3fe49fa5c9faa0b6c3cfdf922

          SHA256

          bec3aa1415104366dac1a9541a1709bd991c98e5a0ce6b673583e59193ae7c63

          SHA512

          0bcca9ed8889b00d5561871dad61076df45c3c8279bec9b61107daf9f0965cd21a4c23be2358b6b6883a0efa3330e80c0c59239ba3cd8e438e945219f76b73a0

        • \Windows\SysWOW64\Kekkkm32.exe

          Filesize

          96KB

          MD5

          747687db1d28e289902633791f380124

          SHA1

          93b8364ffccc2b22ad1f787e1f4aef3f64e2bc78

          SHA256

          098ab9ce4385459500d004c6ae48031179e7d6ad44ba4e41bb6ce0330e4abf11

          SHA512

          85cd8d4be786155bdcad0e38c4354b8278c94e1d8e6f7b3a3ad457eb78d2ccc25966e53865325063ff70ab9fca3c89230c654a434a4513467f052c44a1f0d2b4

        • \Windows\SysWOW64\Kgjgepqm.exe

          Filesize

          96KB

          MD5

          75d0560aa9038c7a3ab32fdb1066a314

          SHA1

          86204f43ea2e166f4293b16d6bc1e0c974264e25

          SHA256

          b7318602b98abd0defc0fd09b4700a171d86f3d34c2a8e9026b73ada8160b920

          SHA512

          bcab77a24db76da54d04f7fc2fc84cd92769636dbea90e67b59247caa2e3a4324e9e6ed3592a6df1dc7f86518621e0591ea00360f03d1abffa74c836b5a8e8d8

        • \Windows\SysWOW64\Kkomepon.exe

          Filesize

          96KB

          MD5

          09a37e176cf3c9e59d00da8ce0ae4f3d

          SHA1

          69854af1e056fb04dca333a7884fe961130d3b00

          SHA256

          0a639c6682674f2d478e7fd8e3862d5fc8e2a72cb1666002f3f3d670e94b377c

          SHA512

          c5c61ec173c9677b9957c6ce167adf789351addc5006049036af7ab7d069f171d1a0f4557f90c7b7cd5e4c8cfe8b0e0f7549ab977fd116e37956302a8bb5ac5f

        • \Windows\SysWOW64\Lhbjmg32.exe

          Filesize

          96KB

          MD5

          45d8e542cfee4e544edfcfb10173ae3a

          SHA1

          a3a0b2e402c0d833f9386b126ab12d4acf0159a9

          SHA256

          567c2715ce500246683737f03f264afd8b723a0e381d6feeb7498bce61449291

          SHA512

          7e90bb9f2c976331eee70dbe2ae2da4af78176868762d90f019ef46fc72f30ea6be7b7f7021d5c08ecbc1944b93fcd1870508d591fd54e2112f44dce4f4029ad

        • \Windows\SysWOW64\Lhpmhgbf.exe

          Filesize

          96KB

          MD5

          a8e0cb91e0e1468ac300096c0f38770c

          SHA1

          6b598ccd7fe1a0b6bf18f0483740fcc45201911b

          SHA256

          b0ae963c9ce115303c7b74a4f0368e54806ad0691f10cb591cb8b96894c46eb2

          SHA512

          e559b42354fd107dd666d3187a77202c1cbf95e265c4bdc4ccbd9141033ad2a511d1b705b757f264ccfeab2905bf9c44a36c7f3edf70ba7b813cf0b25d541757

        • \Windows\SysWOW64\Lkccob32.exe

          Filesize

          96KB

          MD5

          ce6fbe8fdb76ad7324b4ac09a4b17b8a

          SHA1

          b7de5bde33dea1ca6e5a544d5f611dfd172955af

          SHA256

          f23b0fc7ab20780f71c7f2cff68f181a119cde7e1e5d934f19a6d6aee1206340

          SHA512

          1f85766d20eaa719557c3466e2f41697b4a8a95f3cf996a1d5c8ad823dbaa4646527a2faca027f5b8b48122726b0f2d297fb6660397609fc00ad40540d9490bb

        • \Windows\SysWOW64\Lndlamke.exe

          Filesize

          96KB

          MD5

          d28d66c2c7857faf2d9196ae4ac9c817

          SHA1

          9852c8988d75ed518856b2f662c9ccb179c71956

          SHA256

          9236ad1218a6c7042ed4ca66d45e52d70578c7045999105a8c39f404673ad9ae

          SHA512

          7a84a9cffcc6a3afdd7141787b0324ccabfcdcdf8225349aea47e6377c60b5572e400d4dc2c82d5df0b32bb5b50f5a3f06e7c4f6f8cf7c7bbef14271fabd7d0a

        • \Windows\SysWOW64\Mcendc32.exe

          Filesize

          96KB

          MD5

          6526e4b305b2c07df2bf072693b48e65

          SHA1

          f2e0299f9de86f6a281440ed4d75b4dedb6be18b

          SHA256

          70bf32d0cc72b5ed012671bc2f1968109fd9067e99af5f2f6cfe89e58330e121

          SHA512

          0bb17a3d12db0ca4f47630505fdb9b7053ac98a1f333bab0d4ac5a5e78c3c4d01d1810bef162ee49121a2713c3e295c6c9394611318787a9b6325a4c05434231

        • \Windows\SysWOW64\Mfhcknpf.exe

          Filesize

          96KB

          MD5

          3c831812c28a7f85cdc2f471192090c8

          SHA1

          8c47121234a6f8d8802943312cee95ebf4ad0041

          SHA256

          59b974ad41980b59c66d677f455e5c98290768768b064386b865b945e7b13f68

          SHA512

          fa219b9716a03fe21e129396a7c462ba6b7ad36e3d0d658d4ebbe7186cefb4b6db3c2200ae8455d3e84e05e2514d5ada7014d6a559aaf1816e9e950f31870ba3

        • \Windows\SysWOW64\Mkqbhf32.exe

          Filesize

          96KB

          MD5

          e77587b75dafdea72f6d54df83b369e8

          SHA1

          a1e70d667c06eb345df66f6bd50fb961fcffb8c3

          SHA256

          4fdb75f055ef07b8ed79af78133be48fe8767b3453a32d4372701b298f990b35

          SHA512

          48b04072bd423147100d611b309303937995962d42c475ee2bf4d2e55d069e59096a6465f2dde45a14b3725e685ca6d44747ca7516f98df66b6d6c2967062f95

        • \Windows\SysWOW64\Nbmcjc32.exe

          Filesize

          96KB

          MD5

          246a0dae4766446408ce645df150a9e6

          SHA1

          45e952500fe5441d6e318ff94c986eed43086366

          SHA256

          76d744d6f0a6b641985038cc8ef5efeb75f76985733421f6f6a7e97fc7703402

          SHA512

          71b7c74dd331f2fbf00f4ac76c2570500de83bbe312789643aaf1712b1c3b392d459f72b05c126a8e5a50c805283136b0de31ce9d95a1262a364d73152d9b278

        • \Windows\SysWOW64\Ngoinfao.exe

          Filesize

          96KB

          MD5

          095b1206972e9c441685b1821107b87d

          SHA1

          52faefbcc94e09d2e3badc3b4e88cdfbb2103bad

          SHA256

          29fee111e08bfce2daeb465b792c4d5443e032363fcc2279855f96d7005f3652

          SHA512

          c5671de977d3a75c57ca24430d7d3b0e9377c75deff850a0019cb6c881b6c4b5e5b0d57ed20ee131e67a7df9320a75cd06a66b142495858c40f9bef0e0cf01f8

        • \Windows\SysWOW64\Nmnoll32.exe

          Filesize

          96KB

          MD5

          07c61657144c0c347aa6974d873a2b19

          SHA1

          95e9e33dad1869d50412b66c0cdc15b1f2f76a21

          SHA256

          688fa231020b01e6dd023d3c07766ec70ea752a62b95b0d752cbc1116d245dbd

          SHA512

          4fccb2dfc2fc4927405e3ab55988747bf65be613badd0b5d5ee25a94b5edb58600ac156a9eca220357a4bd5f0d1097e680eaf7c4a1b9bb3f8a71029b0e66b1a9

        • \Windows\SysWOW64\Olgehh32.exe

          Filesize

          96KB

          MD5

          91480d174097cec8899aa3c370851ade

          SHA1

          4d833a5d0cbfeb9026c5b3906d09d35eb474cf4c

          SHA256

          d1b0c5609559246ad4a3c3e0dec4a5239421706ada645fdc6ce9446312341663

          SHA512

          a7b13742b2dab423b65a6283868316428f7a2534d76c245273a9e374a519aec06b0025a91f006d26e1b097076991ab0ab212c05183a12f779df3e72babb1eb20

        • memory/340-255-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/340-238-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/340-247-0x00000000002B0000-0x00000000002EF000-memory.dmp

          Filesize

          252KB

        • memory/368-215-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/368-222-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/368-221-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/368-251-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/368-252-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/580-150-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/580-197-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/580-199-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/580-189-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1056-254-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1704-175-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/1704-239-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/1704-231-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2116-119-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2116-122-0x00000000002D0000-0x000000000030F000-memory.dmp

          Filesize

          252KB

        • memory/2116-174-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2168-253-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2168-232-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/2304-157-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2304-172-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/2304-103-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2304-106-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/2540-171-0x0000000000230000-0x000000000026F000-memory.dmp

          Filesize

          252KB

        • memory/2540-213-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2540-159-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2588-142-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2588-98-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2740-70-0x0000000000440000-0x000000000047F000-memory.dmp

          Filesize

          252KB

        • memory/2740-69-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2792-12-0x00000000003C0000-0x00000000003FF000-memory.dmp

          Filesize

          252KB

        • memory/2792-56-0x00000000003C0000-0x00000000003FF000-memory.dmp

          Filesize

          252KB

        • memory/2792-11-0x00000000003C0000-0x00000000003FF000-memory.dmp

          Filesize

          252KB

        • memory/2792-0-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2792-49-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2820-35-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/2820-85-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2844-41-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2844-113-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2844-50-0x00000000003A0000-0x00000000003DF000-memory.dmp

          Filesize

          252KB

        • memory/2908-190-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2908-246-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2908-200-0x0000000000280000-0x00000000002BF000-memory.dmp

          Filesize

          252KB

        • memory/2968-161-0x00000000001B0000-0x00000000001EF000-memory.dmp

          Filesize

          252KB

        • memory/2968-206-0x00000000001B0000-0x00000000001EF000-memory.dmp

          Filesize

          252KB

        • memory/2968-158-0x00000000001B0000-0x00000000001EF000-memory.dmp

          Filesize

          252KB

        • memory/2968-216-0x00000000001B0000-0x00000000001EF000-memory.dmp

          Filesize

          252KB

        • memory/2968-151-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2996-127-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2996-129-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/2996-76-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/2996-83-0x0000000000220000-0x000000000025F000-memory.dmp

          Filesize

          252KB

        • memory/3012-21-0x0000000000400000-0x000000000043F000-memory.dmp

          Filesize

          252KB

        • memory/3012-22-0x0000000000260000-0x000000000029F000-memory.dmp

          Filesize

          252KB