Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:05

General

  • Target

    9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe

  • Size

    128KB

  • MD5

    7d976140cde1e2527006129321410b74

  • SHA1

    7542e04d3bf41e168f7d3269506f3747228bed10

  • SHA256

    9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2

  • SHA512

    30aa2628db8e1bcde1f2aae0f2cdcd71e21485eefa8afefea8c0613272c5183c565144fa9d91116f243e1b5cdedd9ef8ef05549b1ce9ba1b622196c676143593

  • SSDEEP

    3072:pZld0+59gmrBCJocOw8asCHNhMXi6Y0HYSx9m9jqLsFmp:Nd/rBCrO2xUS6UJjws6

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 18 IoCs
  • Drops file in System32 directory 54 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 57 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe
    "C:\Users\Admin\AppData\Local\Temp\9f3bf463a151d8beffffb6b3fdeb12910eb1d2abe9b57d93c42c97d58c4273c2.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\SysWOW64\Cdhhdlid.exe
      C:\Windows\system32\Cdhhdlid.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\Cjbpaf32.exe
        C:\Windows\system32\Cjbpaf32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\Cmqmma32.exe
          C:\Windows\system32\Cmqmma32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3504
          • C:\Windows\SysWOW64\Cegdnopg.exe
            C:\Windows\system32\Cegdnopg.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1060
            • C:\Windows\SysWOW64\Djdmffnn.exe
              C:\Windows\system32\Djdmffnn.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Windows\SysWOW64\Dmcibama.exe
                C:\Windows\system32\Dmcibama.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1992
                • C:\Windows\SysWOW64\Dhhnpjmh.exe
                  C:\Windows\system32\Dhhnpjmh.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:536
                  • C:\Windows\SysWOW64\Djgjlelk.exe
                    C:\Windows\system32\Djgjlelk.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4888
                    • C:\Windows\SysWOW64\Daqbip32.exe
                      C:\Windows\system32\Daqbip32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2120
                      • C:\Windows\SysWOW64\Ddonekbl.exe
                        C:\Windows\system32\Ddonekbl.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:448
                        • C:\Windows\SysWOW64\Dfnjafap.exe
                          C:\Windows\system32\Dfnjafap.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4068
                          • C:\Windows\SysWOW64\Dodbbdbb.exe
                            C:\Windows\system32\Dodbbdbb.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3840
                            • C:\Windows\SysWOW64\Deokon32.exe
                              C:\Windows\system32\Deokon32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4008
                              • C:\Windows\SysWOW64\Dfpgffpm.exe
                                C:\Windows\system32\Dfpgffpm.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1472
                                • C:\Windows\SysWOW64\Daekdooc.exe
                                  C:\Windows\system32\Daekdooc.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1532
                                  • C:\Windows\SysWOW64\Dhocqigp.exe
                                    C:\Windows\system32\Dhocqigp.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4668
                                    • C:\Windows\SysWOW64\Dgbdlf32.exe
                                      C:\Windows\system32\Dgbdlf32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2232
                                      • C:\Windows\SysWOW64\Dmllipeg.exe
                                        C:\Windows\system32\Dmllipeg.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:2320
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 396
                                          20⤵
                                          • Program crash
                                          PID:3932
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2320 -ip 2320
    1⤵
      PID:3916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cdhhdlid.exe

      Filesize

      128KB

      MD5

      2f502477584b0f3a99cd0dec9cf59e16

      SHA1

      89e60d195c04250a32f6611fa81171c77f2a855e

      SHA256

      50e83dfba8c12418019572b513e0c793b6539c4e31b5ca999900c785945e363a

      SHA512

      9b951cefd8cec12d6b105f1a7799eabbd84dc39c998f52452544c87490c6ffd3bfcc8846df33925327f5bc6028c75daa03b7cfdc4f551d0267b377748fcd23b2

    • C:\Windows\SysWOW64\Cegdnopg.exe

      Filesize

      128KB

      MD5

      7d094d7ef29bbd44574e9c6223fec81c

      SHA1

      473f4172600d1c5ab2cb9e3c6c12091e4dd03722

      SHA256

      94d8f94d4165005abbd246699ed2c5074bb799f40f8d2cec209bbad2528c591e

      SHA512

      e23dc6f1cf2a57a7875161cb16d8546f9ba87013f8e28ef41364bb7f40445748e99276b15e496639027cf0b61a6e8ec60397b2d595e9fa709f425f9969b854e6

    • C:\Windows\SysWOW64\Cjbpaf32.exe

      Filesize

      128KB

      MD5

      178c171f15dd007322039b36903c0dc3

      SHA1

      70d682b4911176492993ce15109de5b49b00aaa5

      SHA256

      7baeceed5147ebc29a3f497665c5b66f67fd9f411564b723a2013aa7b4c5e7dc

      SHA512

      c3ef08373117211b41d2e05d6a48f9e7051263f3c149bb0d1107b62d0e704cb262e75031c45f5d1998efe8c01a070b8436fa5bf5695629ce55e61b04b067acd7

    • C:\Windows\SysWOW64\Cmqmma32.exe

      Filesize

      128KB

      MD5

      e502e619e16c00cb3926d376b3aab16f

      SHA1

      c807fc444e181303b3bd2904eefb7606f99eadbb

      SHA256

      6e1cd8e1da12371249dbbbdad07554cd62b0cc8a494e5264858ea81c3e156555

      SHA512

      bd1e26553892bd181caaf62a8ca42b8373d2da98b0198a27486018dee6124f8a7be4667c9fa52181f779feb024291b93f8673cbe381c0c8394cef81af6633426

    • C:\Windows\SysWOW64\Daekdooc.exe

      Filesize

      128KB

      MD5

      50f62ab096a19932e93e877ca3ca9109

      SHA1

      1fed04c0dd836dd5787ac257ce200a2507e40fe6

      SHA256

      0b9a1ff8fcfcafad6e7218675347fc1abf13129a17c0d5fba6314af589a75d43

      SHA512

      17c572d8c7e21d0719f5a3e4d0bba9946325a0fea98ada4e6c611d03b0a0a4a683463b7c6fa4acb056b4400abb8697e8378e120641a162731f231ae3af40d04d

    • C:\Windows\SysWOW64\Daqbip32.exe

      Filesize

      128KB

      MD5

      7389053063d86ac3555343f5a20a98b9

      SHA1

      f42bc2f825bddebb9998a9a9f2b48320d0488099

      SHA256

      267c887973b1e3c12505d1a04d9a4a551809bc3615343eb3528ddc2d974e62a4

      SHA512

      7581fe42583583e736a62c42d785a981f25142b70e10af4a33213fdd3bb363c4e705f10eb72c35253bec802993b6103f6dab740ec8b31cd92ec496ad5be14ec9

    • C:\Windows\SysWOW64\Ddonekbl.exe

      Filesize

      128KB

      MD5

      ce60674c472d37236fdd873d1f30b043

      SHA1

      46ed505b39116ab4b66de41eee0f3ab533fcf7ac

      SHA256

      aab0961298f788ae4bca295f56297fbe4ef712725f53148364e7245cbb611979

      SHA512

      bbbb11024ab31fbe25108a25b6a70ea912cf8baa4067ca725d15c105cf08017aa898b86b553a3f400c978b9b952fa6ae6b6be8671c29cf688fe8c99905158c23

    • C:\Windows\SysWOW64\Deokon32.exe

      Filesize

      128KB

      MD5

      6441def16e17bc2a6d7294661c346d32

      SHA1

      acfbc13ba08dab8bc39f4b53b9c444c267459493

      SHA256

      1953d00238e64b11d242b58ecf564a96e6d2a74aae1617250622beb27097f97e

      SHA512

      a2547285d6e628e872b596681d5aa01f290a48bcf665b5d073f0b2fc4d535616944d12c65c1d92083b27c72e95b7ab2c7ecfa8ed5d27b8f43afcf98a061c6bf0

    • C:\Windows\SysWOW64\Dfnjafap.exe

      Filesize

      128KB

      MD5

      5a9f9f82bcbf67315c2fd2764fda52c8

      SHA1

      efda91136e432c1302640d55707f61c4bb71383a

      SHA256

      947d0151e60be0452a0ab0502bdb68f99c6c2242d513a09ff707e5cbfb176d28

      SHA512

      697b756eec3d5bf9dbd34070bc7cc68395cd2a8653645bd4cb8cd4635541ff61a27babb6b1303283da5dd6e64984295280d4faa46fc68d66d8969eee94c44501

    • C:\Windows\SysWOW64\Dfpgffpm.exe

      Filesize

      128KB

      MD5

      ea46d22b887fb27a06d452ea6c43788a

      SHA1

      2d5ce6d3892850b4c452879e4c86b54e7d68605b

      SHA256

      0f7029ed24c98b9d2ec489812f7f365487ab98c35a851e7f14eb8cb2962208e0

      SHA512

      12481e20128217ad426f4630febfd0b31b1f7fbc09e726ba57e1f3b80acdcd678cc13e10305bdeef5dae740e229f7534722e452151c73416dfebc0d60fcc5aea

    • C:\Windows\SysWOW64\Dgbdlf32.exe

      Filesize

      128KB

      MD5

      84d96bfd9abe1ee62b76974175874981

      SHA1

      d5d33e25d152ae1d855264f09493d344c8c82a0a

      SHA256

      f31e3b2b598fdd0f5b6ce4331da5f86b86869823220fa5f7f5319e4ac49316e6

      SHA512

      dda55655781497055b6ef348177eecf6ac3a2f77af0733cb212eb85fb81b3cf1282fc0aa9545131a3586c13b4adf813443780cace160b4769bdec91f1dde55b3

    • C:\Windows\SysWOW64\Dhhnpjmh.exe

      Filesize

      128KB

      MD5

      635deff47c0d596ade944e4cc4297a7b

      SHA1

      16b8546433f0598a0124edb8f94188eedcf87866

      SHA256

      332d432cb4b9346adc53e3486d0ba314e6c577861b756164e96b24c0d65f6c75

      SHA512

      df3158f6ec52234a1a808753e3e6905277ae6351465c2f9290c8d4f6dd0097bbf10f0ee6a3979f9791302840f1089de0693ea9f2a878f73a0d4d3e2b5087783d

    • C:\Windows\SysWOW64\Dhocqigp.exe

      Filesize

      128KB

      MD5

      dc5de9fedd310fd2182215fa3bb8ff34

      SHA1

      a12bb5cef1cf58a95e8c47eba7b67fb3eabe4889

      SHA256

      f376822f10e895884d49db89bd9e77066fae3a0248a858071f2e63c970cd9113

      SHA512

      1e721cbfddc69f3a9a522785ce6d49ebda358a5eb60fda9c0ee41da733c2335431b19c305b83c7173ffbcf413530d0dd870f16d1631ae9da9a18b684fc07fe7d

    • C:\Windows\SysWOW64\Djdmffnn.exe

      Filesize

      128KB

      MD5

      64ea93c8fcd7c77df4d6a5716dd584dd

      SHA1

      0b4adae4ad47e8cc388558d43cfb6ca1425f8357

      SHA256

      0a0918de7e1d7ef4636b9a378c5cb4f72ecf568cba6166fb653113ced68ab584

      SHA512

      ccf141ef386b09a762340ec405b6b10082be264fcae460095531e66b7f8284a35c930a1134a1fea55930551191364fd56eff176f4724c0bc8c2d13b8c3d1c136

    • C:\Windows\SysWOW64\Djgjlelk.exe

      Filesize

      128KB

      MD5

      a1749b58a77b60fe6c01c725a9bf899c

      SHA1

      84a44e56e03dfcf12e076382cac4367ee9a59044

      SHA256

      3e59eb799a17649c70443a68b6daa6866c0d69736f9d50125ac7b294f5e96559

      SHA512

      4bf19dd0c217ad8b61a73b0d513542f8a2614735a2926a364ade256200df61851c7932182b21b5c2ef2e7478c6e2d21661d126b13eaeea83055a90028555a256

    • C:\Windows\SysWOW64\Dmcibama.exe

      Filesize

      128KB

      MD5

      d405653c17935dc9546cecc8671a9e44

      SHA1

      2b2193be5dc6fae9d522801d022343f02d5340bf

      SHA256

      32c9fd8777cecb8c5182b96503daa7a7c1729c495567f41730c2a9eebe8723c2

      SHA512

      2d0e1d33ef3f7ea112ba02ce4f9c760255a3c200c86f5de2a0b2c24ed77317f774018189b4c0036250bdacff6f7a2a684d8c0b5b26b78ba75c6183c19e64799c

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      128KB

      MD5

      ed7aea2799a14d4bedbeb9c88553368e

      SHA1

      af22c7b6e3906cdeb9bebd99ae5d0f2287c8fec0

      SHA256

      7bb0d290280269c040987d3ae73c2e86afc8551755b223cd3731222cb9d6a3da

      SHA512

      0b3899d559821116c8402e861236ebdd022fb1e25535254f83acff33ffdfa7befa7fa7b334403a3acbe771998e01e1829eb762861ef5137040c72eab435e2b94

    • C:\Windows\SysWOW64\Dodbbdbb.exe

      Filesize

      128KB

      MD5

      d9e0aaa86bea7fbfc51b6aaa21070b99

      SHA1

      70e7ade0cd0e27c47647a9076191cc0f67dc4918

      SHA256

      94a5a2f2e9b17dd30a8a74f2e432e2a4d319b472c93738d4fce87ddce0bb2099

      SHA512

      407663693fb3344604dadd50dd722cb2920f0c9430184122dbc61319d200b38330c35fe135e0d729744a13e90ae05d9ee4b1e74edbdfdfb7ee97eb9b002e90b5

    • memory/448-152-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/448-80-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/536-56-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/536-155-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1028-161-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1028-8-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1060-158-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1060-32-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1400-40-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1400-157-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1472-148-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1472-112-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1532-120-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1532-147-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1884-160-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1884-16-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1992-48-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/1992-156-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/2120-73-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/2120-153-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/2232-136-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/2232-146-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/2320-145-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3504-25-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3504-159-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3648-162-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3648-1-0x0000000000432000-0x0000000000433000-memory.dmp

      Filesize

      4KB

    • memory/3648-0-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3840-96-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/3840-150-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4008-149-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4008-104-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4068-89-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4068-151-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4668-133-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4888-154-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

    • memory/4888-64-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB