Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 14:13

General

  • Target

    f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe

  • Size

    79KB

  • MD5

    b64171ce263422c51e1427615db70670

  • SHA1

    6ddba0911a4c0a31a1f8b2f9605f4ce918d6fc96

  • SHA256

    f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40

  • SHA512

    ef6bb142f487e9b5b132d698a3f607da49c5bd444888d37d7e2b82ceb33d35990edf93dde3d642aea417b34d7dcac2f206341dd810d8ff911a56a46808beb020

  • SSDEEP

    1536:o69pD+IAi7yPXchbEAQbZWqfkCsT6ZrI1jHJZrR:ouaNXc29fkCsT6u1jHJ9R

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 21 IoCs
  • Drops file in System32 directory 63 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe
    "C:\Users\Admin\AppData\Local\Temp\f9e391a5bb30ab65efcaac46c06d8393959eab563c1be37b5c7cdc0ca35dab40N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\Cfdhkhjj.exe
      C:\Windows\system32\Cfdhkhjj.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\SysWOW64\Cnkplejl.exe
        C:\Windows\system32\Cnkplejl.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Windows\SysWOW64\Cajlhqjp.exe
          C:\Windows\system32\Cajlhqjp.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\SysWOW64\Ceehho32.exe
            C:\Windows\system32\Ceehho32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Windows\SysWOW64\Chcddk32.exe
              C:\Windows\system32\Chcddk32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4224
              • C:\Windows\SysWOW64\Cmqmma32.exe
                C:\Windows\system32\Cmqmma32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4468
                • C:\Windows\SysWOW64\Ddjejl32.exe
                  C:\Windows\system32\Ddjejl32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:388
                  • C:\Windows\SysWOW64\Dfiafg32.exe
                    C:\Windows\system32\Dfiafg32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4948
                    • C:\Windows\SysWOW64\Dmcibama.exe
                      C:\Windows\system32\Dmcibama.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2308
                      • C:\Windows\SysWOW64\Dejacond.exe
                        C:\Windows\system32\Dejacond.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1860
                        • C:\Windows\SysWOW64\Dfknkg32.exe
                          C:\Windows\system32\Dfknkg32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:4108
                          • C:\Windows\SysWOW64\Dmefhako.exe
                            C:\Windows\system32\Dmefhako.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:636
                            • C:\Windows\SysWOW64\Delnin32.exe
                              C:\Windows\system32\Delnin32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:1800
                              • C:\Windows\SysWOW64\Dkifae32.exe
                                C:\Windows\system32\Dkifae32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:5016
                                • C:\Windows\SysWOW64\Dmgbnq32.exe
                                  C:\Windows\system32\Dmgbnq32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:4808
                                  • C:\Windows\SysWOW64\Deokon32.exe
                                    C:\Windows\system32\Deokon32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:4296
                                    • C:\Windows\SysWOW64\Dhmgki32.exe
                                      C:\Windows\system32\Dhmgki32.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of WriteProcessMemory
                                      PID:2592
                                      • C:\Windows\SysWOW64\Dkkcge32.exe
                                        C:\Windows\system32\Dkkcge32.exe
                                        19⤵
                                        • Adds autorun key to be loaded by Explorer.exe on startup
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        • Suspicious use of WriteProcessMemory
                                        PID:4836
                                        • C:\Windows\SysWOW64\Daekdooc.exe
                                          C:\Windows\system32\Daekdooc.exe
                                          20⤵
                                          • Adds autorun key to be loaded by Explorer.exe on startup
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies registry class
                                          • Suspicious use of WriteProcessMemory
                                          PID:2896
                                          • C:\Windows\SysWOW64\Dhocqigp.exe
                                            C:\Windows\system32\Dhocqigp.exe
                                            21⤵
                                            • Adds autorun key to be loaded by Explorer.exe on startup
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            • Suspicious use of WriteProcessMemory
                                            PID:1104
                                            • C:\Windows\SysWOW64\Dmllipeg.exe
                                              C:\Windows\system32\Dmllipeg.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:3940
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 396
                                                23⤵
                                                • Program crash
                                                PID:2960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3940 -ip 3940
    1⤵
      PID:3280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cajlhqjp.exe

      Filesize

      79KB

      MD5

      44f1615a26e8b4a320fa6697b4f786dc

      SHA1

      6dafcc42188d439f3fcc5202dd622fc84348427f

      SHA256

      fc70376969f33ddc28b67f86dc0edd3e680c5d9b05c01727d5b387e0af2c5a54

      SHA512

      884193dfdc783b5f334e184d49cad5231a34cc51cd43b49bc5ffb0669391ded040dc2a1d4dc639d6a5e1b4f50a7c68c918e97771d8a50de0a2c52b2a84f7b166

    • C:\Windows\SysWOW64\Ceehho32.exe

      Filesize

      79KB

      MD5

      aeb9e3137e26d2dae3490239b84ab5d9

      SHA1

      77f547335f253def74173fb0e6db7cb9a4c5aa12

      SHA256

      eb1095c829d4227c58b84bbfd58678250ff1405dc28eb941ba1798b18354ded4

      SHA512

      db55b5aa2f49f2e35f19a7dee2800994f08c419c35866b071b096b7ce878bd96130e3d8584d4037d920354c473270b3aca10b9366b982041fcb32f84195d5ebc

    • C:\Windows\SysWOW64\Cfdhkhjj.exe

      Filesize

      79KB

      MD5

      f1afeebbd4a090e2280dec69a67a14fd

      SHA1

      2e790265aaff6876402aad08c5aac5a3becb7af0

      SHA256

      b09879766d5e06fbccb93ccb07385c3ef888d3bac81737073bea4a2ddbecc96d

      SHA512

      a1572afa7df536950865d409a4bbba49402b65a7d2fdc9a2216153195efacc8ebce5130e2c54306e57d34892056aee60c6da51ebdef4b2438913f6fdc5a30146

    • C:\Windows\SysWOW64\Chcddk32.exe

      Filesize

      79KB

      MD5

      f51d05790387a743081e3e0acbc28d8f

      SHA1

      c49e078283e870478b8924362034d1295e9baeb8

      SHA256

      8d73aba77b0cc2a9b4e21163806a4e9814a34ea1b8ff3c66459dea5836bb5147

      SHA512

      985e626c8ec7f2153e56c25a5eac1939db32613cde57f04776706cc3d46bc1e133b1d428ea1912e23dadbce7aa90376e921e7b62b45949d073e5d12e1430afa8

    • C:\Windows\SysWOW64\Cmqmma32.exe

      Filesize

      79KB

      MD5

      910012e3a5a9ca107487ae377e0e1b91

      SHA1

      64ebe8cb2f8a744995e374afc94311b03f44ecd4

      SHA256

      ad5be38756c7fc607ace7df536cce13ac8e9dfdbcbbd5e1a378812cd4fba594f

      SHA512

      16e29745c8a382677feb238693b8a3a0f9ce4bf586fb5542050acba073bbda7f07b8da469b54ac78ca076a71e13449cf91af3c985fb62cf79757908105f5fd5e

    • C:\Windows\SysWOW64\Cnkplejl.exe

      Filesize

      79KB

      MD5

      df6a2c481688b1adc38503fc73d2be7f

      SHA1

      f9116af1e8deb6430a7741b3abbf9615bd10e8d4

      SHA256

      e462345d897812e0725d6e002d50e897a623fe0850363096ad5de1d306c42888

      SHA512

      feef8668516643e4ec1d72a4f8b7afdebcf8a9a72b54b66eeec48b40a94bab0db80d5180ceb568938a25daba84a4a98f4a41a61fc05bb45ff540f8067b0a8e9b

    • C:\Windows\SysWOW64\Daekdooc.exe

      Filesize

      79KB

      MD5

      119b83e7f48a0d4f3a6513c0e2a0d4a2

      SHA1

      dc929f35d3f872ccc7abc9615160ac0cdc5c6d08

      SHA256

      c0ee5179ca59f817142aed03f9fcaef00615e71fe8072d3a79c173ebf3a2837c

      SHA512

      817df930c493c4f6a670a6b829ad436b2844b1c50c0209ff10d01cd1c3b2f74d1a7354fa23b24c00f41a13bdf53bb0c1de5ca84ed11ba4bbd72c092cc505caf3

    • C:\Windows\SysWOW64\Ddjejl32.exe

      Filesize

      79KB

      MD5

      0e69f2e6a60de19695748f71b9313b46

      SHA1

      94007b1a00c05ef439ff838eb62599ca993ea823

      SHA256

      769665b9476517dfe794f02cd4a1491cda8ea82e8d884d54350ea801ad51c0ae

      SHA512

      7b041212a8b26d21780e6f666c6f6e67780417bf07ac0d3e3b2ac44a316a0c23bd9044f88369c2453eef811a7f3d2a720cc66638efdc41104f798767bcf2bbae

    • C:\Windows\SysWOW64\Dejacond.exe

      Filesize

      79KB

      MD5

      ac8a4cb55e458573ff885ee870a097d2

      SHA1

      7c118c36cc9fe0ddab8520b5509559903ee158c6

      SHA256

      e046f8782542a9b0503658bf89414e5dba0be8d944418c0aae3c505184f78d74

      SHA512

      6fb48e04d8c1a9ab651392b902e90458f739992e009d1e5c473c3b4d2c29bf9dc8ca2aa4293f8ac9e5ada8fda31f9249da340a012e4b6b456d1c922863eeccdb

    • C:\Windows\SysWOW64\Delnin32.exe

      Filesize

      79KB

      MD5

      ed9ef5bc93c8808c7e831f8808a56a2d

      SHA1

      c0df00e68c16df0f2d968afd8e3ca4e35d3eb051

      SHA256

      d962c991d251297dd7864d79eeb0db4d0a318a6e9ab03a942535f898462e51df

      SHA512

      cb56583d7581e5dec4403efda4cf24618ea12c7d070c63c09418400067d970b5921a62e52059299f5276d488c1aa6c991aec69012762cfef8265700d4f6f86fa

    • C:\Windows\SysWOW64\Deokon32.exe

      Filesize

      79KB

      MD5

      d795521a752d54e88f982191e4b3cfc7

      SHA1

      f14c94bfb11f642606db95dd0d93c90bd336db7e

      SHA256

      dbeb71e729f0e398bc910fe49718ddaab689b34f87feaa1af02dd128e10e8111

      SHA512

      6ca9c4705e545b1f37f8f02886d8f059ab1fb0bd2e7a5dd7af970e60ed4de7fb947746b07b6d5073deb442d206fefffa75906b929ee95607c7f017b18c385c7c

    • C:\Windows\SysWOW64\Dfiafg32.exe

      Filesize

      79KB

      MD5

      970192c164ffd5a40b9a9ca385771dfb

      SHA1

      9a58f435d1ad815755b48aeec48b5078af9683ed

      SHA256

      1b6f34ab46520347aec5a2a84900f1e4316b544342be98adbd1a969e7b58a51f

      SHA512

      6f889e4110d151679ce8967f671f6a062350a88e1060c15750e5ca8acf2a4a1938de9fedbb2e155c19bc04ac8b7a4b0bf47df84d1cecb6e0317bdff33a87c8c4

    • C:\Windows\SysWOW64\Dfknkg32.exe

      Filesize

      79KB

      MD5

      3a286b6be5d8ebe5c598d5bd1ba4abd0

      SHA1

      82065c559e7ecd8b1e8122f8a3bcf7e9f01440aa

      SHA256

      b519cf0aee9be04607f9415242ff098ad717c85f04418fb99c0c3f30282a503d

      SHA512

      4d8ef1767b0b84c2d8edd802fcbf72fd82e69db365ad9d71a547d69403292670a65ce0b895980c8b80587cc8ca905e61666f8195a2ef0960fc4762aac17e1fcb

    • C:\Windows\SysWOW64\Dhmgki32.exe

      Filesize

      79KB

      MD5

      3e15279f9f3a45c9ac9ab720c7abf4af

      SHA1

      1ecddaf04192baba63defa572ea1870514957755

      SHA256

      8b9d9bd41ec66001b118318fd27f237be9177d65702293ecf9cb0f2885875f39

      SHA512

      ec47fc6927cef4d73fffd9f9e4cd8aaebfc0c4d4d240b54573f9478504dd003e0ece62c0c48fcce9af6d82fe414b1812de4e27dcb840989953b334ad24c10b43

    • C:\Windows\SysWOW64\Dhocqigp.exe

      Filesize

      79KB

      MD5

      959455ec9f3715339248e3921bd91909

      SHA1

      73c8d0d99a761e672f0788524e2a21ce3cc06a0f

      SHA256

      422857dd2dd18c61c8c9067008b6e3bbd5c3e9f1c9fb3f59aee8cccd4ec4af92

      SHA512

      ec71318a2a08434c623928d9863f6f032d3556c2cfbbfbc5daee0db24c35951f0559165baa711cbdbc370cfcbeba10df820790d5c9bae23dbe8b4964431c8528

    • C:\Windows\SysWOW64\Dkifae32.exe

      Filesize

      79KB

      MD5

      8f7820545b6e68324a1d06d430b0311c

      SHA1

      1cd0c3da3d6d507af7fae0d374b32e9f7e8637b0

      SHA256

      83f50ea748ea258ca82a296a28cd9f6c282bb4e7da815ba04058f2f150a13b0f

      SHA512

      9a554887e8221603c5b423868503847574f7dd1650f447ad822d6969a04e3cbf562517758ec179578e959ec8d6baf9a07dd5da905d6e82e37bdd5687e24902c9

    • C:\Windows\SysWOW64\Dkkcge32.exe

      Filesize

      79KB

      MD5

      26cc565ab395624794c773aaca4adb5f

      SHA1

      8bc4e5c7bd3307b4663cca311caaf4326c93d7ab

      SHA256

      372ab1dff86aacad2f549302d0f16a6e21bd9f9137c626727bd1f8c401747f4a

      SHA512

      d476e5c0f5a149397bc100b427d4012ed71cd889709440b26ee254a73d4696b3dcfd933ad825a70b666271ddd5b4f8a4051333d9b2a4c3b0c05919fadf6c5d2d

    • C:\Windows\SysWOW64\Dmcibama.exe

      Filesize

      79KB

      MD5

      0b16e6e81d637ad0c1485a12facb0aef

      SHA1

      0a8e6bcd081c2650de6c960b9bd20f99662ca99d

      SHA256

      c03080306431d3ceda602dfda31eb330d49b8084314df01be758d5fff332ca93

      SHA512

      606f30cad44908667f1f0856006f10ff5fea9d768102d8aacb8f4b9a4669734d4616e9fa25c326e3bed7318fc569fb8b8d04734064e3847d2474cd2dc270cff6

    • C:\Windows\SysWOW64\Dmefhako.exe

      Filesize

      79KB

      MD5

      91aef822f03452775de5921c00a0fca0

      SHA1

      d22403431aee72620268bd8eaa0a5bd03f2deaa8

      SHA256

      3980404147a92532f8ccb1c76512d90373a6731ba9090eebb0567c2d16746c49

      SHA512

      dbd424ec9b9e3bfa4b4aba24517243fcca2ccce4c020e71d55a7575438603c6d1c5aa4ed53c1b1d2fdf99d610d9b5bf09c791321f5162c7e06fc06806fc14df5

    • C:\Windows\SysWOW64\Dmgbnq32.exe

      Filesize

      79KB

      MD5

      b87f35f491cb780069cd26e2c7b4fe18

      SHA1

      88e7e6987a9ac6c4a7561663acec60e6d9cd1d5c

      SHA256

      37505d4c05c464c90900f8623a4e7b8ca2ea5d9ecbc9a75601078c3ace4c1f9c

      SHA512

      de49e5e10ebcc244ed78d745fa9008e0a6dc46d034a4976cc63e17b179e7d9630dec0d3a573af6d0010fee82052a41a9850a72474be068051f7466c722c6c554

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      79KB

      MD5

      7bc67fdaa2778f116d1fe3713e82af4b

      SHA1

      c943bf2ec64fa002f940a3d2c89326ad3aa0956f

      SHA256

      1cfc5bfe2cd028ad415ecbfad0c3e75fd0e6e7545a0594589f4b79eec389f9b3

      SHA512

      c75899c55599fa8ed3e5726b5ed92de2b1049fdf7e442578a82688f5af673438eed5628de26e5d319ac5bf0e2dde81e5d0a533cea12c3ef37f196c7230f7de48

    • memory/388-56-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/388-183-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/636-97-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/636-187-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1104-160-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1104-171-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1800-104-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1800-188-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1860-185-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1860-80-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2308-72-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2308-184-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2404-181-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2404-33-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2592-174-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2592-136-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2896-172-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2896-153-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3740-17-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3740-177-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3940-170-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3940-168-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4004-179-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4004-25-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4108-186-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4108-89-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4184-178-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4184-8-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4224-182-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4224-40-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4296-129-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4296-191-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4468-180-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4468-48-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4808-190-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4808-120-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4836-144-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4836-173-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4844-176-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4844-0-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4844-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

    • memory/4948-64-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4948-175-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/5016-189-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/5016-112-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB