Analysis

  • max time kernel
    61s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 19:13

General

  • Target

    909562a0d0fd5614e5a1bed3747e54d9ce79e0716df39971edd1c82872b40abeN.exe

  • Size

    93KB

  • MD5

    dece43786af57e66f84a615f91e9d6d0

  • SHA1

    65ed0cf354a954210492959cbd0451109aa6eee9

  • SHA256

    909562a0d0fd5614e5a1bed3747e54d9ce79e0716df39971edd1c82872b40abe

  • SHA512

    04c3ca601b97bd630c0be51c56cc4b9ca6cf2fab2112bde3f13255d8286d0053c4fa5c3bb496e6314e98caa63fff48e3f194623cdecbaade4010ef31b9b8ce1e

  • SSDEEP

    1536:k/JknW3QYMud89zCoqhzpscqHmXlHy1DaYfMZRWuLsV+1T:k/eNudEzCSjWlHygYfc0DV+1T

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 40 IoCs
  • Drops file in System32 directory 54 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 57 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\909562a0d0fd5614e5a1bed3747e54d9ce79e0716df39971edd1c82872b40abeN.exe
    "C:\Users\Admin\AppData\Local\Temp\909562a0d0fd5614e5a1bed3747e54d9ce79e0716df39971edd1c82872b40abeN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\Jfaeme32.exe
      C:\Windows\system32\Jfaeme32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\Jefbnacn.exe
        C:\Windows\system32\Jefbnacn.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\Kbjbge32.exe
          C:\Windows\system32\Kbjbge32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\Koaclfgl.exe
            C:\Windows\system32\Koaclfgl.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\Kekkiq32.exe
              C:\Windows\system32\Kekkiq32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2612
              • C:\Windows\SysWOW64\Kmfpmc32.exe
                C:\Windows\system32\Kmfpmc32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2348
                • C:\Windows\SysWOW64\Kenhopmf.exe
                  C:\Windows\system32\Kenhopmf.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2436
                  • C:\Windows\SysWOW64\Kfodfh32.exe
                    C:\Windows\system32\Kfodfh32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2884
                    • C:\Windows\SysWOW64\Kadica32.exe
                      C:\Windows\system32\Kadica32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1588
                      • C:\Windows\SysWOW64\Kpieengb.exe
                        C:\Windows\system32\Kpieengb.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2824
                        • C:\Windows\SysWOW64\Kkojbf32.exe
                          C:\Windows\system32\Kkojbf32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2620
                          • C:\Windows\SysWOW64\Ldgnklmi.exe
                            C:\Windows\system32\Ldgnklmi.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2096
                            • C:\Windows\SysWOW64\Leikbd32.exe
                              C:\Windows\system32\Leikbd32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:572
                              • C:\Windows\SysWOW64\Lghgmg32.exe
                                C:\Windows\system32\Lghgmg32.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1688
                                • C:\Windows\SysWOW64\Lhiddoph.exe
                                  C:\Windows\system32\Lhiddoph.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:2328
                                  • C:\Windows\SysWOW64\Lcohahpn.exe
                                    C:\Windows\system32\Lcohahpn.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    PID:2488
                                    • C:\Windows\SysWOW64\Lhlqjone.exe
                                      C:\Windows\system32\Lhlqjone.exe
                                      18⤵
                                      • Adds autorun key to be loaded by Explorer.exe on startup
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      PID:1276
                                      • C:\Windows\SysWOW64\Lepaccmo.exe
                                        C:\Windows\system32\Lepaccmo.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:892
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 140
                                          20⤵
                                          • Loads dropped DLL
                                          • Program crash
                                          PID:288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Jfaeme32.exe

    Filesize

    93KB

    MD5

    6755ec0bfbd226fdaca6aba3092a87cb

    SHA1

    b62aa9d80f6b0a30b84819c8a16ae0802903cb13

    SHA256

    9f8b8538e5bcdaa5cb4cccac11bde8f1cb53d1d9d04ba92f3af681fc559dd553

    SHA512

    1537e97c7df4ea00d5b935ca4d91872faee36cc8f9c1909915ff167256d389232a366e507e2153d0d1ae9c07a786b2c6f345026bfc444f369f3143eb4cb27679

  • C:\Windows\SysWOW64\Kadica32.exe

    Filesize

    93KB

    MD5

    df268dc4fadda5954edcfaf35e813a19

    SHA1

    be65a85f7db2ea494cd8a07779dbb576a5138543

    SHA256

    6d559d8842439ca166a5216da83d03a70245d663c99965e83574b93c9c5f4720

    SHA512

    0c1bd3d96ff682f68d7638cb0d017091a35f8f6dc5d5acdf812d371f6f0510173fa914f9cb15c6fea681b25fbb616497d9f1570f40823a8ccbf866f9fb9b430a

  • C:\Windows\SysWOW64\Lepaccmo.exe

    Filesize

    93KB

    MD5

    ee96ffbd890d2b8a62da430d0457dc93

    SHA1

    44151b90a6ec20009803aabfbb8c6ed747cdc660

    SHA256

    a42e7676aa13d3336b96acebf27250427d5bfec807dcf2e39ca4d35e8479cb7f

    SHA512

    20a2f46e05fd4a5a01e5e6049754af71f59f47fdea9e48f734c7b677b46158005acff475c4db995437075d50921b46860ba4780899dfdf5984c9112dec047b88

  • C:\Windows\SysWOW64\Lhlqjone.exe

    Filesize

    93KB

    MD5

    4717d215961f53b87f88f9d769a46dee

    SHA1

    86840385d8d2798f31fdc672ef8f5080a746dfc3

    SHA256

    90b39b98d9131ae7b979716d5f9abd2756e26131db8cce0a89fd75c9e2680fbb

    SHA512

    4c161a92d278498eb530ef801d8e88e83d78dfc061a29d7e1277ea97ccb8e76f036c4faa100a71723b5107f9a4782938909db3153708bd90fbff5066813b4fa7

  • \Windows\SysWOW64\Jefbnacn.exe

    Filesize

    93KB

    MD5

    d73fbf642fca0da738a03fb90380ea11

    SHA1

    e3454ace3ebdb85291248ae3be6346dd0b3382a1

    SHA256

    954098a629ed35715015c134bd7063d1f7b2fe6be26b468fc83544930c44c571

    SHA512

    aee3161d28ba013f4d56a54c1b04802c78d63c887301014e0e793979e5f2936f609ae9b0cae6ea749c6681010d3ae29ab32b381b40807f1f6cd8be660dbd8da4

  • \Windows\SysWOW64\Kbjbge32.exe

    Filesize

    93KB

    MD5

    b38f2a9578e4f2475dfff641038aeacd

    SHA1

    519b3abe2186d9ce8f3ed88c2f25867ee7e86861

    SHA256

    1b5506e8661e5aa06a7dacfd96c4b43da9f8b5153eadae49af49b47265392716

    SHA512

    47860d30a2b3d9497dc4fbca9f98027c7f059962f6967d4dfeb69586b27e5e00a01629fe807fe0671f5d3332fad5d106c120a33f83def5dd90ac6ad3bc655ac6

  • \Windows\SysWOW64\Kekkiq32.exe

    Filesize

    93KB

    MD5

    488adf0e1f63fb3558d64fbd0822a0e7

    SHA1

    d60c508d3c79db279c1f244bf71f4a0e082a5d06

    SHA256

    6aa00b38e8380135e687ffcd183d88cb37024fb7b63b438c7bfbc09cb9d3b1d8

    SHA512

    c1a8ea4f582bfc4d36bb615452c5f1f6a5f53a3db9850371543dcdccbad7060d44782003b4856009a8d4bb3865e5ddba46785dad5057c35582b3744531e2d87f

  • \Windows\SysWOW64\Kenhopmf.exe

    Filesize

    93KB

    MD5

    a6bf004076075b05eb9dc8027f3a7bd9

    SHA1

    d721110bb2960beffb9e0c335cf64ead01f7b458

    SHA256

    ac4053738d1ba9ccacb4fc97decfb0b58ab4f97c69c3653ed16cf1a7fec45f2f

    SHA512

    3eb6ee0f370d5d07981f73263f05c1c3b7f9d0c16404b7d1f59ce2783f387daeaaf2d6ea6dc7bababe21655c82b581293e85acac7a1a2111d1031fad227d89fe

  • \Windows\SysWOW64\Kfodfh32.exe

    Filesize

    93KB

    MD5

    b052dda85d096c8cbf9b10538ed53fca

    SHA1

    45d7bdc4bd946f4d020fd07f557689d6bcee9ca2

    SHA256

    d23060b6f945d57b0beee256deb3e88a6e013324f270ae0ad58bd6922da9921c

    SHA512

    19bf703f778a45b905c4a5a0f96a5b3499a2e91e9f69190d24ade691ae857990a733e64edf410453c48b7d3bb23448985edf63b26e83cd72c1cb82982dc2641a

  • \Windows\SysWOW64\Kkojbf32.exe

    Filesize

    93KB

    MD5

    7e74682be54b704455161908fa22f665

    SHA1

    d163af13f133a3ea2f5dda613f982596987c2f87

    SHA256

    f1ebeeddf439a7da3e65cb3a86a3b1c792fc3d4bde452a3a6f82e42d872e0c4c

    SHA512

    10e5cea6b7cf2c2c046e6cb6929b9d23e3a5b22f47aa28e655d021d70e85648b3dec12853dfe374416df8ea0767a7b27845f5e505aa73a6742a4b43c7d35505c

  • \Windows\SysWOW64\Kmfpmc32.exe

    Filesize

    93KB

    MD5

    b9ce56f4fc217c0a3f38a4cc25c1a294

    SHA1

    3205530720d7d1a67c1ad089e4c63bf66387d9a6

    SHA256

    e9f2cda49e47814793f6c9b8fb35cebc3021d2f8e1256a8e61174b570e61c9e4

    SHA512

    10217fb135a3c597c9fe1ef4a2a9ae94b82e1df681ceb2f3277d9a212641faafcb66dc86ed8ca1882e0e4b898d21dc1244144b8503c072040f0fb4eded883e89

  • \Windows\SysWOW64\Koaclfgl.exe

    Filesize

    93KB

    MD5

    5e664467c3ffc86e26712bf1c10105c0

    SHA1

    b1321e53237e8f627d732f80af61a7c83dc19a43

    SHA256

    4261f0d6f34a86a2064cbdd6c83c6b5e2d3f088d925a71a212642ded7b3cc014

    SHA512

    7eecd6fd425189aba816281f73143d43fefc443e22f8021b8489299a4456f3652aa648d4a4b35fc38c9ebae8d639f518489067f55642bbf9b15fe8ba5f8027c7

  • \Windows\SysWOW64\Kpieengb.exe

    Filesize

    93KB

    MD5

    d03b7bfcc35499cc9ebd6b0c82d120bf

    SHA1

    d2ae8c7bee43ddcf9dee7a1e95c570682b8d5d5c

    SHA256

    88fb32d27b1a52ab2771dfaf364c253b0885a4c96dd1444f4312337d470326c8

    SHA512

    ef733f146bcf681aff4f39088a944a28c54364fe405cea2748b855c63bfd120bf512d142d30a3fd9ff651e804bf3f31de360d18c8288d14be0315f012bf9e96f

  • \Windows\SysWOW64\Lcohahpn.exe

    Filesize

    93KB

    MD5

    827c42be3a0821d36bace33cf3a63276

    SHA1

    c585d4a30ec49c99c31902f5719c5b8aaf2de096

    SHA256

    497b19c5496c0d8aaad5948f5516adefd5d27eb0af8fada3f102fd9794ca2987

    SHA512

    76351547b838e840354258d08eef32ab85d59a62621c162aecc2c549a35728178e98078485d7d81efe8ce18b0c915a806c384d2ec5a095939d2fbb3b222f05d7

  • \Windows\SysWOW64\Ldgnklmi.exe

    Filesize

    93KB

    MD5

    881c1e50746123eaccdca04a07a4fb02

    SHA1

    fc312d6220a0b26cbf903643f7b0c4ed986f8377

    SHA256

    bdc249904d75b1d361b079e3bc461772a3449cbeff1efc8cd2ccc7ad346e3435

    SHA512

    0baae5083503e4d3c09a23d74ca433f6ab2f4d08593c8afe63176be5fc5b283476c27aa4735e5bd980b4d160428ca4f10b6db9d9791a1f91f7aec0ae143cf7b9

  • \Windows\SysWOW64\Leikbd32.exe

    Filesize

    93KB

    MD5

    0e93a27c621f5457f16ac6eda87e6e03

    SHA1

    4014605d1feaa3899548cf6c366ae375542ad3f9

    SHA256

    1c953f5450787ea4b11c1ec36d942f772885ccdb4de7b353b12eb654dd2f3462

    SHA512

    39548da79d8685338824dd6e26e13553e811e2cb1dc662acc5cdd2e35f7a06e39f9bcdd3d1b04a049542c8bfa3d51ab9eb659c4e3378b479aca98c2b65e6a833

  • \Windows\SysWOW64\Lghgmg32.exe

    Filesize

    93KB

    MD5

    0a01310cad642abed4131d31e14bf723

    SHA1

    0868702185c9c1db19c9ff09325bdea7e18c1168

    SHA256

    096e55d06cdb2e2cafab7bc37eb55c0c0f4f4a1b6d91ffa284e9e046462545a9

    SHA512

    ff287911c4cc0676b6a17d45a67e98aecee4dc6d726c2316b8bb8409a233df2a3cf3a7d76fbd1d1e6474235c1fa54b71cfc7ddce81058a0eb32ce599aec2f6dc

  • \Windows\SysWOW64\Lhiddoph.exe

    Filesize

    93KB

    MD5

    daa02ad21f4b5c73a7df3e344fbca969

    SHA1

    9da3d23ec34088c8be98e62950ae4cb4a8445fc4

    SHA256

    8aca50f16bad2548e0a885eb1d9c5d1db81137cc48c173c05fa7fbeea878998b

    SHA512

    4e54bc9e5933542b48d7cb8483809bbcfb3b61803d87bbd0e661e01d31d457d832d9abb36228c6a4fa505598da528fb50c52d68786800894d378d662edea9692

  • memory/572-183-0x0000000001F30000-0x0000000001F63000-memory.dmp

    Filesize

    204KB

  • memory/572-246-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/892-255-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1276-226-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1276-232-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1276-240-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1588-129-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

  • memory/1588-253-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1588-122-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1688-189-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1688-244-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2096-162-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2096-247-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2096-170-0x0000000000260000-0x0000000000293000-memory.dmp

    Filesize

    204KB

  • memory/2188-11-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2188-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2188-12-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2188-266-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2328-248-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2328-210-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2328-202-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2348-83-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2348-267-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2376-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2376-22-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/2376-273-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2436-269-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2436-107-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2436-95-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2488-216-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2488-239-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2612-69-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2612-272-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2620-258-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2620-149-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2708-50-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2708-264-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2708-43-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2756-265-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2776-263-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2776-40-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/2776-41-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/2776-28-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2824-254-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2824-136-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2884-252-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2884-114-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB