Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:28

General

  • Target

    a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe

  • Size

    128KB

  • MD5

    b9b8365aa367f971c9b0c5d0a4a005f2

  • SHA1

    9c294bd2fe72a75e08ae2da2bdad4c368a73c745

  • SHA256

    a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7

  • SHA512

    3720e4997b144487072bca3fe0d3a8667b3ce42e81917ed8e794cbb16b9ca34a5a28d63ceb5bd6743e292b0724cd33cf22841afd71c201a3b42158702af81ced

  • SSDEEP

    3072:eXc3kLXD6kIz4IkNvI1oE+iCLs+8BJGmwDcUg8VLY3FQo7fnEBctcp:JkLX2dz4Ik9soE+iCLs+8BJGmwDN9pYK

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 46 IoCs
  • Drops file in System32 directory 63 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe
    "C:\Users\Admin\AppData\Local\Temp\a97fed8f7c4f5fdbf1055ca52119fbdb4ee153bc17604a5d07529587e28a83c7.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\Legmbd32.exe
      C:\Windows\system32\Legmbd32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\Mbkmlh32.exe
        C:\Windows\system32\Mbkmlh32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\Meijhc32.exe
          C:\Windows\system32\Meijhc32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\SysWOW64\Mapjmehi.exe
            C:\Windows\system32\Mapjmehi.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\Migbnb32.exe
              C:\Windows\system32\Migbnb32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1896
              • C:\Windows\SysWOW64\Mabgcd32.exe
                C:\Windows\system32\Mabgcd32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2804
                • C:\Windows\SysWOW64\Mdacop32.exe
                  C:\Windows\system32\Mdacop32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2388
                  • C:\Windows\SysWOW64\Maedhd32.exe
                    C:\Windows\system32\Maedhd32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1192
                    • C:\Windows\SysWOW64\Mholen32.exe
                      C:\Windows\system32\Mholen32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1544
                      • C:\Windows\SysWOW64\Mmldme32.exe
                        C:\Windows\system32\Mmldme32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1872
                        • C:\Windows\SysWOW64\Magqncba.exe
                          C:\Windows\system32\Magqncba.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2760
                          • C:\Windows\SysWOW64\Ngdifkpi.exe
                            C:\Windows\system32\Ngdifkpi.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2428
                            • C:\Windows\SysWOW64\Nkpegi32.exe
                              C:\Windows\system32\Nkpegi32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1780
                              • C:\Windows\SysWOW64\Nckjkl32.exe
                                C:\Windows\system32\Nckjkl32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2156
                                • C:\Windows\SysWOW64\Niebhf32.exe
                                  C:\Windows\system32\Niebhf32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2244
                                  • C:\Windows\SysWOW64\Ncmfqkdj.exe
                                    C:\Windows\system32\Ncmfqkdj.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:1720
                                    • C:\Windows\SysWOW64\Nmbknddp.exe
                                      C:\Windows\system32\Nmbknddp.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      PID:2360
                                      • C:\Windows\SysWOW64\Npagjpcd.exe
                                        C:\Windows\system32\Npagjpcd.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        PID:2364
                                        • C:\Windows\SysWOW64\Nodgel32.exe
                                          C:\Windows\system32\Nodgel32.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          PID:2020
                                          • C:\Windows\SysWOW64\Niikceid.exe
                                            C:\Windows\system32\Niikceid.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            PID:1776
                                            • C:\Windows\SysWOW64\Nlhgoqhh.exe
                                              C:\Windows\system32\Nlhgoqhh.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:2612
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 140
                                                23⤵
                                                • Loads dropped DLL
                                                • Program crash
                                                PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cpbplnnk.dll

    Filesize

    7KB

    MD5

    28a97cee53e6afd377d712584ac181cb

    SHA1

    562d4cd520ab2f2199e4ab2d59e6dcfb7b133fa6

    SHA256

    df08a6621ed125963f1f5c14fb61d697ec9a223b28ee1a5721b010d775cf1df8

    SHA512

    38bab395748320bd22254417160289896574a4c39a6c16bbd929b8f5780857d3042e9961472d55255faf4bdf0c30bc8fa221dba52e293488b230280de3f441fb

  • C:\Windows\SysWOW64\Mdacop32.exe

    Filesize

    128KB

    MD5

    47e04d743e396ae654961c875eabe290

    SHA1

    6d7fbf49c426d6f5ef2ee243b14c090718339124

    SHA256

    4165bc506f98402eaab798374387219df08725e0de9208855f6751023d17b23c

    SHA512

    df409386a27024477d9c8323acca4ce3813bfe3ee4f786aa26d87648d45e85ae4f2b3c1d4bd16fe6996e8da6dd3a30ab16a08ce5d151cc3979c0cbdcbe5239ca

  • C:\Windows\SysWOW64\Migbnb32.exe

    Filesize

    128KB

    MD5

    2e5e6751206c8f82146621166f831db0

    SHA1

    45a754abd57d537bcaa5bc6f0c507cc8138d360c

    SHA256

    999f299976e314ff95bc6fb5238151aabe50f2ad2fe0baf282a3550e177d7c27

    SHA512

    9c5ae70e3eb0781e2b0b1324887d57cde2ec359a5b4ff643b6bd8f36e4ff3ea196734411a1781dd9efd66f64de5e03706d83f2925c6b9f426998da5f16497185

  • C:\Windows\SysWOW64\Mmldme32.exe

    Filesize

    128KB

    MD5

    55249e138f19a7f697d1b68b03ff7aa0

    SHA1

    fed601f136b6274fd3da3c21ea711fcae8bf31b0

    SHA256

    289f887dd8b8f81473f66a2424a86186f6b31d4d8dd7dbbc2697a68f39883882

    SHA512

    8a04d3a0a6383b07168cebdf99c3a15cf851baa794ecba181404d1d4bedb3eac7fc44dc4ef5a080bdb33713c13b3d20f4a425f719d418c0de15bc64737c2e218

  • C:\Windows\SysWOW64\Niikceid.exe

    Filesize

    128KB

    MD5

    13c8ac61e0146b57c3d0f656c5a89c88

    SHA1

    a861a716e207bd880c5189e76439296caa0c3046

    SHA256

    7aa041425c5200fee224127ecdcbcf0771be618e5e2edd4b33200e21821d29e1

    SHA512

    38995310e1d0540494a9e7b1a6eb3d5b389e1d71c31dbbc14a0e289ff916277c868ce4149a728d18f9c163f54af9083f2404eb9fe8fb93bcdea20811b9b33972

  • C:\Windows\SysWOW64\Nkpegi32.exe

    Filesize

    128KB

    MD5

    18a347c57fe7cbaf65059a66eda070b2

    SHA1

    64e1e742805f5e8a02245af17c34553808ef27af

    SHA256

    5626313095c213e759f9af08bbec477c462ba76e0c6b47c5725e736b767aa6d7

    SHA512

    6fba8a0f11fdf7c688d8e114268cc503834845786ab94c55afd3501ca2507a7b12101459077850577700d710bd8ca6608b3884a1d3f52b77e3bcbadf3ec8a5ef

  • C:\Windows\SysWOW64\Nlhgoqhh.exe

    Filesize

    128KB

    MD5

    9d0d809ff9a48da5a751101f436a4692

    SHA1

    048d96d05b1300fa09517a1f0792975173ad0835

    SHA256

    4a2d431e373ad1a23a97bf8fab4e677b00eb23404a73f2f24732e456ccbd3cf3

    SHA512

    53ecf3483b86a78be20815b948b060189363735aa0f87fe9322a0e2de9b192245da2c7ee832df45a1d9884b18087d2de14e3abe71101899c0263a3bd43accb84

  • C:\Windows\SysWOW64\Nmbknddp.exe

    Filesize

    128KB

    MD5

    8ec8c163f4d3bef88a8ab00e061d6596

    SHA1

    14821db83f57ec7b5243fed897cb96c0de5b3cd4

    SHA256

    28ddce00db0e40121b9456295e881172467bdf2b4fa2bb9fac368f4a4d9a6d6e

    SHA512

    c8a68e10dfbd0908c2107323e28c4830d04a58a268a267bf7fc13e4467798880d0d5ec1fe22d7775015c75bc5e1b95f636e08888a0b70fe0a24a864b2e8e42ba

  • C:\Windows\SysWOW64\Nodgel32.exe

    Filesize

    128KB

    MD5

    2e33e3e1bcb9da6c2ebfcbe6e729fc27

    SHA1

    ac59ac74c6b43c67f76eec1e6864bb01b1d7d944

    SHA256

    d1a2b2b3d6f3b3d9da21127534f58812bb1e44b78fc566ffb015cd56f79854f4

    SHA512

    975acfaa0495c5d5c854e9800bb48b565ce01c5cfac29a2b2ccaa281d8c3cd5f6ae835f9ccdd4d1a2b0cbeb6785e560d52887a52716842c555becd7d430f8728

  • C:\Windows\SysWOW64\Npagjpcd.exe

    Filesize

    128KB

    MD5

    b4f1a11ac9f5a2528d54332bceff25d0

    SHA1

    e8626034b7ee64f0b6775563d194de9fe81e30a7

    SHA256

    00c3fab8ca976146055ac4bef9e3aaf787af3a2e7b822bdfdf409485c1f0402f

    SHA512

    dfa8a0672db10a92b01656a398088e3b8ee01a9ebf05b3682495a45d962e4a8ef541e6430ffba3ccd47b4a9480dbbfe242d3ee28e9ef7cbf34f53cd8bc1a8773

  • \Windows\SysWOW64\Legmbd32.exe

    Filesize

    128KB

    MD5

    d32ca2fd9928e86d6b2030770c63ca63

    SHA1

    f29d4ab75ffc90f298f91603a68ffd037cc199b1

    SHA256

    b8067d75b74a245c44cff8ff9aa5ed173471d5aaf57be1a3d7888ef2a8797cbb

    SHA512

    5aa5346dad1d3541dc21346c54b5642c5c98335103b632e427d227737448a7498c494941066787c80046b14dc32e3a31392f16eedec4fe9cdc392c4e615bf5c9

  • \Windows\SysWOW64\Mabgcd32.exe

    Filesize

    128KB

    MD5

    a7ffd4c44efe97cbff8a8533635f8fb8

    SHA1

    e97b3618979c7fcf94b181b55d92006107c906dd

    SHA256

    7f2e695ec4c0ab0c4d8d4ea41cb7e1ada3205a2d5ba9c9b45a25782d1e3d69a0

    SHA512

    2836c4d5ca35b1b1ad4578fffc9b8d1903f87256a2a1c5411ce1d1fffefda7ffaddffe709a35ae27363d719974a8e9eb3ac8c3ca6c4b4ca073122ab538251974

  • \Windows\SysWOW64\Maedhd32.exe

    Filesize

    128KB

    MD5

    c1a9f88d00dc2a1f2d8a5c54589115f9

    SHA1

    5f38e1a603fac4fb7a72853a9d00695ea3491bf0

    SHA256

    eec831d7c44ea13342b006716fd6fb1504c424b57952d9d725b1ba7df59589d4

    SHA512

    51b0cedbfecf05df7a2fbba5fc1b4b8e679beb0ca96e7612c2a36af503fdd6c98ce8a6235a8121b0476b3c1ce3d16271536779c2da993fb7d0318789da2eb3f8

  • \Windows\SysWOW64\Magqncba.exe

    Filesize

    128KB

    MD5

    22a43c838f893ab9c6f8b9b114d34f38

    SHA1

    b9483d37f1668f47985e0c2e7a1f2d59941dbd7e

    SHA256

    952c2f608ecff5005dd5eb18c48c03d7c15e0504589d61d260360cf40007d767

    SHA512

    02c5d33fb05cb49be539409122bd014ce091e542664d3f2d276d3d64f9d0a10b524ed7cd7903ed85002cf0caed9e6875447361355d63c82991d304135b88762f

  • \Windows\SysWOW64\Mapjmehi.exe

    Filesize

    128KB

    MD5

    e873de98f6ff8333718162f1db890f93

    SHA1

    e8a529e16f6c76bee4ef717b896a99d1a2b0ec07

    SHA256

    45db17eb6e74f1acca3276f3528a12dbb5d9a3677e667750ccb765701c019ce6

    SHA512

    9b4d72ad60dd3757e8e02742e7c04579b0f70e6abbc224d8661df9024dfc90be08c87ca71b4429ff806d69dfee3e2b0f8d0420efc94f8422f2b620a337ca5273

  • \Windows\SysWOW64\Mbkmlh32.exe

    Filesize

    128KB

    MD5

    3714b95ffebfecc0ca6daae68741473c

    SHA1

    a63ee32001d35be19e7be3fe29fcd331547c812a

    SHA256

    4a5f76fcdb6ea558caf9947d5ca0dcd8d085f31eff492463ee280d760831b5db

    SHA512

    66fa3ee4dbcc24fdc7778302b3b410f29996fd1ce49dd8e214234691e05cde3c8ce1341575a26b0e61eaf7dbb206a0d5c297104e4622648b44ac63366c21398b

  • \Windows\SysWOW64\Meijhc32.exe

    Filesize

    128KB

    MD5

    4496c8f50b26df5a3ea1f556f0b6fa13

    SHA1

    f5a9295ea396e9940d06b01ba6ff7ce485244c6e

    SHA256

    dbca79be5b16889cf72121e33b1a91b8dc619ba312849173bfbf818dd0ea13a1

    SHA512

    997e4ad4346763caeb416157eb99ab6f614f619480285ad90939bb77df323decafce0c6600f5c88ce467f94a123427850fb2230755620bf7a4ae00bc1cf2afbe

  • \Windows\SysWOW64\Mholen32.exe

    Filesize

    128KB

    MD5

    a991958839e2cd9264c534d25a15d47b

    SHA1

    89a699ff838d9689db9b728eb228df8a83d3fb86

    SHA256

    a2ca5ec706d8c7141713bcd936d9c8305f4099c4107937684d854693857c8847

    SHA512

    a86ea948670278eb68826e4fccf14a0b8ae79597f35c27e03733773bf106c88199017e25021445dc2319f64bcac0ee935c5b4bf84ba8daef0762affa415d9560

  • \Windows\SysWOW64\Nckjkl32.exe

    Filesize

    128KB

    MD5

    579f64a8ac4decd0e3ad21da0518a838

    SHA1

    3f635b2297235d6d61e0f5a21d914ee42a9cf6e2

    SHA256

    8ed71a8ec4b46b939641b14b3e1ca4fb3000733504b0955faba4d1fb517cee56

    SHA512

    328323fc2fb6eb952ef882214aa6891aef46c3cb04ba7a9745082d7bc6304a39dc6d0d36c15d71bca7198f90a0a27ac38c917810fe16c21a3785de469e757a85

  • \Windows\SysWOW64\Ncmfqkdj.exe

    Filesize

    128KB

    MD5

    5cd92844641ac1273a6b912b0b863ebd

    SHA1

    c875c17cd65f9501200094c2dca114011b9718cd

    SHA256

    f962335f2b4295391a2ef3846126b29aad506a359e827413e5deb799d8c1ce6e

    SHA512

    9b9d70fa2b91c455c70bd3df42379bd41522a7cabe7daa4711575c356bfec83af481bfea4b760cf4a98bd2914e8d3408cc06c4c82a733a687eac20aeb6aeb9b0

  • \Windows\SysWOW64\Ngdifkpi.exe

    Filesize

    128KB

    MD5

    8537c58d2ef8b830e2684b4272da3f36

    SHA1

    c13349a1d5d0651e3962d7a350d2c3bfae917d33

    SHA256

    d167e9cc3c9fb354028496ae3d663448079a13a596978bd60c20b751c54c16c9

    SHA512

    f403c643e26487ffb41f2742a6a9c056da87adcf60ff8a7717dfdfe42d961860e485401ceac3dff5a165c48ff0aaec035d71563d92350988991e4c6bed4f8f72

  • \Windows\SysWOW64\Niebhf32.exe

    Filesize

    128KB

    MD5

    c2595a1db9aede63ed9e3d8ea36d84a4

    SHA1

    8770395a8adc8fd53b6a7b4e592c78aa2196def3

    SHA256

    eb79f5f9a27d71372a1aa7b6a04973aec703af51eefb011c3ff1a6496844a625

    SHA512

    ac49e03d5c636f0736dc0b8583444aa9f7aa3d7fdd62e90a71e575d8625358bb21159d536e263ce2385e9b5e02c7919db234711b24a77522a796ed17ea4f57ce

  • memory/1192-111-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1192-285-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1544-132-0x00000000002E0000-0x0000000000314000-memory.dmp

    Filesize

    208KB

  • memory/1544-124-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1544-283-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1720-268-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1720-216-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1776-262-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1780-275-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1780-176-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1780-189-0x00000000002D0000-0x0000000000304000-memory.dmp

    Filesize

    208KB

  • memory/1872-276-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1896-82-0x0000000000440000-0x0000000000474000-memory.dmp

    Filesize

    208KB

  • memory/1896-282-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/1896-70-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2020-264-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2020-245-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2156-190-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2156-270-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2244-203-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2244-269-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2360-226-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2360-266-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2364-244-0x0000000000290000-0x00000000002C4000-memory.dmp

    Filesize

    208KB

  • memory/2364-239-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2388-272-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2388-98-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2428-167-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2428-274-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2532-67-0x0000000000270000-0x00000000002A4000-memory.dmp

    Filesize

    208KB

  • memory/2532-43-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2532-281-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2556-279-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2556-41-0x0000000000250000-0x0000000000284000-memory.dmp

    Filesize

    208KB

  • memory/2556-40-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2580-68-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2612-263-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2612-271-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2660-280-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2660-24-0x0000000000440000-0x0000000000474000-memory.dmp

    Filesize

    208KB

  • memory/2660-27-0x0000000000440000-0x0000000000474000-memory.dmp

    Filesize

    208KB

  • memory/2660-14-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2760-273-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2760-150-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2804-284-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2804-85-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2804-97-0x0000000000250000-0x0000000000284000-memory.dmp

    Filesize

    208KB

  • memory/2812-13-0x00000000002E0000-0x0000000000314000-memory.dmp

    Filesize

    208KB

  • memory/2812-277-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2812-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

  • memory/2812-12-0x00000000002E0000-0x0000000000314000-memory.dmp

    Filesize

    208KB