Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 03:49

General

  • Target

    bd3b4991cfd106b6c1db954f5be25429acd23bd0872f378a03ace72b979d88d3.exe

  • Size

    303KB

  • MD5

    cb16219980ff02728abdf0397db17a58

  • SHA1

    2266dcab1842b625101e6e7e4d0eec6ac779c7aa

  • SHA256

    bd3b4991cfd106b6c1db954f5be25429acd23bd0872f378a03ace72b979d88d3

  • SHA512

    9d2211d9232e63de36209d537a38385280ddc33959bf32c112db452285d7859fbb07e271d4fb23cd502baf46eba4da08428ad5aa2eb3d913617499bd37578c01

  • SSDEEP

    6144:p765Xe42gE5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDSpaH8m34:pW5YTFHRFbeE8mo

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 37 IoCs
  • Drops file in System32 directory 53 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 54 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd3b4991cfd106b6c1db954f5be25429acd23bd0872f378a03ace72b979d88d3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd3b4991cfd106b6c1db954f5be25429acd23bd0872f378a03ace72b979d88d3.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\Bkjdndjo.exe
      C:\Windows\system32\Bkjdndjo.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\Bmlael32.exe
        C:\Windows\system32\Bmlael32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\Bqgmfkhg.exe
          C:\Windows\system32\Bqgmfkhg.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\SysWOW64\Bqijljfd.exe
            C:\Windows\system32\Bqijljfd.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\SysWOW64\Boogmgkl.exe
              C:\Windows\system32\Boogmgkl.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\SysWOW64\Bigkel32.exe
                C:\Windows\system32\Bigkel32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3068
                • C:\Windows\SysWOW64\Ccmpce32.exe
                  C:\Windows\system32\Ccmpce32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2576
                  • C:\Windows\SysWOW64\Cmedlk32.exe
                    C:\Windows\system32\Cmedlk32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2876
                    • C:\Windows\SysWOW64\Cfmhdpnc.exe
                      C:\Windows\system32\Cfmhdpnc.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2628
                      • C:\Windows\SysWOW64\Cgoelh32.exe
                        C:\Windows\system32\Cgoelh32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1672
                        • C:\Windows\SysWOW64\Cinafkkd.exe
                          C:\Windows\system32\Cinafkkd.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2764
                          • C:\Windows\SysWOW64\Cnkjnb32.exe
                            C:\Windows\system32\Cnkjnb32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:468
                            • C:\Windows\SysWOW64\Caifjn32.exe
                              C:\Windows\system32\Caifjn32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:536
                              • C:\Windows\SysWOW64\Cchbgi32.exe
                                C:\Windows\system32\Cchbgi32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2176
                                • C:\Windows\SysWOW64\Calcpm32.exe
                                  C:\Windows\system32\Calcpm32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2384
                                  • C:\Windows\SysWOW64\Djdgic32.exe
                                    C:\Windows\system32\Djdgic32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:1592
                                    • C:\Windows\SysWOW64\Dpapaj32.exe
                                      C:\Windows\system32\Dpapaj32.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1512
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 144
                                        19⤵
                                        • Loads dropped DLL
                                        • Program crash
                                        PID:1196

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Bqijljfd.exe

          Filesize

          303KB

          MD5

          af6c05290846205d4494167bfd51da95

          SHA1

          52d0b80dcafa6f2154149b0a17704e3db7e76bac

          SHA256

          58d2564d8367baf5c57994e30129ee1ebc0196100d5227ad4137f6982152c668

          SHA512

          6dfc791146522a44c428cb1443951adafb7e7737a85792d78d8b31cb83c8e354f713af97b7956d22fec95caed42c453732944611976500e8cfd66c0041c5369d

        • C:\Windows\SysWOW64\Dpapaj32.exe

          Filesize

          303KB

          MD5

          348faca6c14fe02046b5482e938b6118

          SHA1

          cca80791f34fdab040ca108bf879bfb0cb958fb0

          SHA256

          b7ce61335ad6bfcf2ccfb57c32a203689d6876e1ac1641f98740328ea63e3bbc

          SHA512

          45dbb60c1bda193d0660e87e94bc9d9ef02b99a9b2d36ff4ea8e923d6844becc820bc2f807f2fc16fff4458553101e1a3fdcd497bea9b6c7c6366181f99e1eee

        • \Windows\SysWOW64\Bigkel32.exe

          Filesize

          303KB

          MD5

          c72ba527ebd714ff0dd810aac6c6da26

          SHA1

          c4dd3d5c9c78b63771cd62bfcd34eb3d5aa4f78e

          SHA256

          878782b9b3e104bbc5fe05414ce6fbe42b5520ebd396bf83864d922fed2a27fd

          SHA512

          e409c84b3d09430bd6e6d1fb87e1fb05e65007bb3d9f94e4d615a91b753d895da77a59ed9411b6abde4c54a53b58dee1ab438cabfde9c13d2901d9175f3aeb26

        • \Windows\SysWOW64\Bkjdndjo.exe

          Filesize

          303KB

          MD5

          6a1c4ce093c678a968eb14f36564ff61

          SHA1

          b01ff287556a749b55557215dcfb75927bb1bc87

          SHA256

          69712cf0d3b5d79ec15419f870ed702c8740d9bd5ec4ca3cd62fa79fa9639a0b

          SHA512

          48f79afd5054ca49f6bad7215a50fe40f310da38ed8d0e6c45b2531c37fa8f0043ba87164fee5d2bd625b30bbc7b90ef862bfda64f62e40484ab83c4ff29fb7c

        • \Windows\SysWOW64\Bmlael32.exe

          Filesize

          303KB

          MD5

          0fcc1b13af7e941133d679e6dd883370

          SHA1

          9d80d0d0a7fd870aab392f6faae94bdad424c8ee

          SHA256

          d214a95c194a945ce9f979b10f8d75769b880d2c2ffd3b13195cad9622b29e80

          SHA512

          2c21e32238929ae0c1cdc07219967547816cdb5e531844718e6e469fc421337e7f8f91eb33a5733c9bbfc02a39a9c5c043e090db6a5257d3fbe97621be44f443

        • \Windows\SysWOW64\Boogmgkl.exe

          Filesize

          303KB

          MD5

          6836a7159965ff44a4807d57587328fd

          SHA1

          71ddacc0f210d7cc9bd091b2ecc683d1ff9b13f6

          SHA256

          2bbd53b476595793d27de63613a4518d1d83800335be59979338cb15a76e3f2d

          SHA512

          44955717c97c600cc3756545118ce646489e560e223d55c6f9ae33ea47d51ce50ade1c83a0ae8eb0a1c2c852ec02a9acb29e2d726350918381106a1c4426c8ca

        • \Windows\SysWOW64\Bqgmfkhg.exe

          Filesize

          303KB

          MD5

          4e5796593c6a984fc60e17a9f1a32a73

          SHA1

          b1dcc143153a9649937b1cca69b70e808c48a2dd

          SHA256

          69a48556c3b7ee91376fb6a5280f7f6221d466e6e33d5bfb03e1364e646a4174

          SHA512

          e3ccff3ed4bde7fd703157619b3c0892a06d325f8018dd2e2a48a608fe6f6440c5a45183b21c1073685e0b591f5a8e805c50af710513b19366b07ba8ead96899

        • \Windows\SysWOW64\Caifjn32.exe

          Filesize

          303KB

          MD5

          2577ca3a612287e8e8943b3d02126c38

          SHA1

          bd3fff04f31bbaf562532768f1bd246df02d6249

          SHA256

          6e1f7e12688b6a6cc99f6e0bd38681b8050e0d2b0d8ff5a8b6ceabac39781084

          SHA512

          763496323da0b2326bc9c23781b6aee0f4cd8fcb2f13f3b1cfb78870be75e37ea9934f7ffe5f3a37d3d2ef5579214aa9fbbe3c3289b534a9a2636f698a1518a5

        • \Windows\SysWOW64\Calcpm32.exe

          Filesize

          303KB

          MD5

          4d0b1b75cbe70d4c6b7a222774ceac5f

          SHA1

          b651d79aac064da22014e3621291a25d4dcf3c98

          SHA256

          abc2ee79206d1906b424b1fda51886c2a2a2149d8db411c7d90bdd0dc52ead34

          SHA512

          2b06e5d68247f9eac692e610a801151baa0262787141ff068fed66317ec186b4b4e6e4ffd330575487cf4d2673bfaab437321bc4a7b5f339acb2d6ca92576b67

        • \Windows\SysWOW64\Cchbgi32.exe

          Filesize

          303KB

          MD5

          3e5d12a5a3ccbd2b956ed057430a5f01

          SHA1

          83ca61aebce6ff600a2119efbdca5ca3efc8cd10

          SHA256

          0539a45c2de944b2ac22aef9b3e354b7274bcd352d90acd5a957542f7d5c0c46

          SHA512

          f5f9437394ce06777752981bc62f0821e13c9803bf9dcb856414197216eddd8a1a5618f680bea60eb7d1b8e97e885d792d061a38e82ee67b75a30f272c58e8e4

        • \Windows\SysWOW64\Ccmpce32.exe

          Filesize

          303KB

          MD5

          8ef9cd94f622258a1481f0da44e71769

          SHA1

          ea260ec66c4c58615b2cb593455029d756683671

          SHA256

          2c066ff5fcc6c320a019b957f966aa625430b26911c94fd4c9f5d38d4e44c7ce

          SHA512

          8a46a7a6f9d18f0fd852561a8ec1a02dcf78a69a70ceb95f9ff7b1d66c8345a60ef0da08ad890b380595346d29d87355024ad0436db6009b6c991e797f7ee864

        • \Windows\SysWOW64\Cfmhdpnc.exe

          Filesize

          303KB

          MD5

          896500c4269a6d50e8690c9a54c49939

          SHA1

          d58e2daad025e1266cdc6085ea907516e6a44423

          SHA256

          40a8bdec870f7f552d801475971c7ce338121ca93b053551bfb0407b539ec206

          SHA512

          57034c9610bec653dde2ad681c4677b21030a976f363451633b93b48f69672278c44ab25bbfea1b4ed7914db7ad525b84a45ec52e13f0daab9e8b766e8d7be56

        • \Windows\SysWOW64\Cgoelh32.exe

          Filesize

          303KB

          MD5

          94f68c588167c0b67b131b37372ec1a1

          SHA1

          d94dce5238754bd2f588cbfb8921bfce74ba1b51

          SHA256

          6c0d95ac84c9651dc94a480cfdb9c1891291789f24f6ece0b8d141df3062e818

          SHA512

          a5b1d1d5f0471fa317faf219b6d08e903d5523b8b2cb3d1f64215c2667564fbf74c5f8dfe03e8004eaad007f0419b31f38ff062791f36d0cbea9d030ad1fa64a

        • \Windows\SysWOW64\Cinafkkd.exe

          Filesize

          303KB

          MD5

          5e1136f1dfed4cb26c5ae435209c14c1

          SHA1

          f7d54ba043160ac48190f83f53c33b3cb5378ae9

          SHA256

          4cf35343d4c985720073a54ef9131bd669be8b587e8eff4298bafee779ef40a8

          SHA512

          90d6cedcad78c36c38ac355c465c4ead146eff6e3b1402eee546d33de8982095807a421b0c514424bdd469e140e8b4b76d9d4f9278987ee9460a411010ba5138

        • \Windows\SysWOW64\Cmedlk32.exe

          Filesize

          303KB

          MD5

          15e4e6581c16c285e59a5f16fc94b4f8

          SHA1

          389d5e9a7c8e495b8cc25d949c09e99c95fc1b28

          SHA256

          d4f9a39f04e1af34925701f942a3367801d13b248d26e437ecc5eaaa0b2c0640

          SHA512

          7d4e2729524a6f9946a11b8ff0e345bdd06f025bf007c8c218f807da436e79c7dcad77d59026df8876de7d2e86eb6c27a714da94ec2b0451490845e34fd0d89f

        • \Windows\SysWOW64\Cnkjnb32.exe

          Filesize

          303KB

          MD5

          5193312318fa4cae4784edfec1e5acd6

          SHA1

          7f85381d820d1856a5f9d452b82d1c85b2ac4df2

          SHA256

          fb6083e5754aa7f60ffdcc78e56b7b66b30a687746aa0bcb6c5e2204a3b33315

          SHA512

          5891980a02fa74079cbeea79a2cef72dbcaefdabba0c307aad59c9de5d1543faf02f72f257926d8694c30417565a738cb1c1b332db5f4764398be71e734d86d7

        • \Windows\SysWOW64\Djdgic32.exe

          Filesize

          303KB

          MD5

          bb5dbd319668392e22d1fc49e12136c6

          SHA1

          e6d65ac7cd7807fff83e0727a5d94455160afb36

          SHA256

          be2b3cba1ce69d221b7343d40af9ce27c2b347234c5d737fc5a5d729db2f3515

          SHA512

          964e5fea11409a5c3b1c417bd028a07b22dfa128a8a64633b101f4eedfdd89c9461bba20733f386f0c694abd1d80fe60e11af72990783563ee7ff3d8f41982fd

        • memory/468-161-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/468-231-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/536-175-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/536-235-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1512-226-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1512-238-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1592-227-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1592-223-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/1592-213-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1672-133-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1672-141-0x0000000001F40000-0x0000000001F73000-memory.dmp

          Filesize

          204KB

        • memory/1672-236-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1944-0-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/1944-12-0x00000000002E0000-0x0000000000313000-memory.dmp

          Filesize

          204KB

        • memory/1944-247-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2176-199-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2176-187-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2176-237-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2192-46-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2332-246-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2332-13-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2332-21-0x0000000000440000-0x0000000000473000-memory.dmp

          Filesize

          204KB

        • memory/2376-39-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2376-33-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2376-249-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2384-230-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2576-241-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2628-239-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2764-159-0x00000000002E0000-0x0000000000313000-memory.dmp

          Filesize

          204KB

        • memory/2764-147-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2764-234-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2844-68-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2844-240-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2860-61-0x0000000000440000-0x0000000000473000-memory.dmp

          Filesize

          204KB

        • memory/2860-243-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2860-54-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2876-245-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2876-107-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2876-115-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/3068-242-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3068-81-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3068-89-0x0000000000300000-0x0000000000333000-memory.dmp

          Filesize

          204KB