hawkeye | d11eafc2b57f14d9140c1b8b6e36748b8c2f77f25a9cc0700d103d00678f5147

Analysis

max time kernel
207s
max time network
212s
platform
windows10_x64
resource
win10-20220414-en
submitted
20-06-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Details File Copy.exe
Size

974KB
MD5

b5464c82d6bd5268c38367beb9108ef0
SHA1

d4d10c50fa9dd4c6552fc5d784bc8cd3d990769a
SHA256

d11eafc2b57f14d9140c1b8b6e36748b8c2f77f25a9cc0700d103d00678f5147
SHA512

c6adb6d695813d8a32acee6774d22438fc8bacf905c88eec5c230b26a7bf20f578e501d5a8059964891df1d3469d864360fdf88dc23fc068af1e1dc0ddf203d4

Score

10^/10

hawkeye modiloader remcos pro origin keylogger persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

Pro Origin

185.189.112.19:5481

104.254.90.243:5481

199.249.230.22:5481

146.70.61.147:5481

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
yutyikhjh-WE9ENM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Details File Copy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pefuspjpfx = "C:\\Users\\Public\\Libraries\\xfpjpsufeP.url"	Details File Copy.exe

Drops file in System32 directory 7 IoCs

Processes:

dxdiag.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dxdiag.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe

Modifies registry class 34 IoCs

Processes:

dxdiag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exedxdiag.exe

pid process

4944 powershell.exe
4944 powershell.exe
4944 powershell.exe
4412 dxdiag.exe
4412 dxdiag.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4944 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dxdiag.exe

pid process

4412 dxdiag.exe

pid	process
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4412	dxdiag.exe
4412	dxdiag.exe

description	pid	process
Token: SeDebugPrivilege	4944	powershell.exe

pid	process
4412	dxdiag.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Details File Copy.execmd.execmd.exenet.exeDpiScaling.exe

description	pid	process	target process
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	cmd.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	cmd.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	cmd.exe
PID 4740 wrote to memory of 4840	4740	cmd.exe	cmd.exe
PID 4740 wrote to memory of 4840	4740	cmd.exe	cmd.exe
PID 4740 wrote to memory of 4840	4740	cmd.exe	cmd.exe
PID 4840 wrote to memory of 4184	4840	cmd.exe	net.exe
PID 4840 wrote to memory of 4184	4840	cmd.exe	net.exe
PID 4840 wrote to memory of 4184	4840	cmd.exe	net.exe
PID 4184 wrote to memory of 4028	4184	net.exe	net1.exe
PID 4184 wrote to memory of 4028	4184	net.exe	net1.exe
PID 4184 wrote to memory of 4028	4184	net.exe	net1.exe
PID 4840 wrote to memory of 4944	4840	cmd.exe	powershell.exe
PID 4840 wrote to memory of 4944	4840	cmd.exe	powershell.exe
PID 4840 wrote to memory of 4944	4840	cmd.exe	powershell.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 1500 wrote to memory of 4740	1500	Details File Copy.exe	DpiScaling.exe
PID 4740 wrote to memory of 4412	4740	DpiScaling.exe	dxdiag.exe
PID 4740 wrote to memory of 4412	4740	DpiScaling.exe	dxdiag.exe
PID 4740 wrote to memory of 4412	4740	DpiScaling.exe	dxdiag.exe

C:\Users\Admin\AppData\Local\Temp\Details File Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Details File Copy.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Pefuspjpfxt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\PefuspjpfxO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:4028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
3⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
Filesize
81KB

MD5
b51524da6717026853bdd4ebd15cd8c2

SHA1
4d8b0a10d6ad3cd6f6f083bf67e4988a3fef53d0

SHA256
92929ac13e5cfe52db52c7a454eef20b9f5615c99386d09bff6d5c3c938f73ad

SHA512
6689638c447a70846dedee424731071aa4826d930514714636e604287c8c29a0f1856c61c8074dc8e53c6a30d18b51db9fe615c63e99ecf86d5bf70cb329c354

Download Submit
C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\PefuspjpfxO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Pefuspjpfxt.bat
Filesize
59B

MD5
c4c4473e5bff369b515fb097eb393d3c

SHA1
412826a06f568c2acd9960d7b599f44f7a94d21b

SHA256
b6df27ef84e770116752e903ba9b384522aff7a0fc12adec4a8a43ad3bd0fd45

SHA512
e4b60804ab3305a2ec062aead151997c57b15def3702242e7f0419be7220db8b96c2be074e49adf59b891c91fb3531c470d3c2021f70eedeb67347f96be230dc

Download Submit
memory/1500-161-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-143-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-121-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-122-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-123-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-124-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-125-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-126-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-128-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-127-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-129-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-130-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-131-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-132-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-133-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-134-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-135-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-137-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-138-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-139-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-141-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-142-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-144-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-145-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-164-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-140-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-136-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-146-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-147-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-148-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-149-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-150-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-151-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-152-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-153-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-154-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-155-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-156-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-163-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-165-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-159-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-160-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-115-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-162-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-157-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-120-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-158-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-166-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-167-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-168-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-169-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-170-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-171-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-172-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-173-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-175-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-174-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-176-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-177-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-178-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-116-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-119-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-117-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1500-118-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/4028-309-0x0000000000000000-mapping.dmp

Download
memory/4184-289-0x0000000000000000-mapping.dmp

Download
memory/4412-771-0x0000000000000000-mapping.dmp

Download
memory/4740-261-0x0000000000000000-mapping.dmp

Download
memory/4740-761-0x0000000000410000-0x0000000000489000-memory.dmp

Filesize
484KB

Download
memory/4740-760-0x0000000000410000-0x0000000000489000-memory.dmp

Filesize
484KB

Download
memory/4740-759-0x0000000010590000-0x000000001060C000-memory.dmp

Filesize
496KB

Download
memory/4740-692-0x0000000000000000-mapping.dmp

Download
memory/4840-275-0x0000000000000000-mapping.dmp

Download
memory/4944-414-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/4944-453-0x0000000009230000-0x00000000092C4000-memory.dmp

Filesize
592KB

Download
memory/4944-420-0x00000000077E0000-0x0000000007B30000-memory.dmp

Filesize
3.3MB

Download
memory/4944-419-0x0000000007770000-0x00000000077D6000-memory.dmp

Filesize
408KB

Download
memory/4944-418-0x00000000074B0000-0x0000000007516000-memory.dmp

Filesize
408KB

Download
memory/4944-441-0x0000000008F20000-0x0000000008F3E000-memory.dmp

Filesize
120KB

Download
memory/4944-449-0x0000000009080000-0x0000000009125000-memory.dmp

Filesize
660KB

Download
memory/4944-424-0x0000000007B70000-0x0000000007B8C000-memory.dmp

Filesize
112KB

Download
memory/4944-656-0x00000000091E0000-0x00000000091FA000-memory.dmp

Filesize
104KB

Download
memory/4944-661-0x00000000091D0000-0x00000000091D8000-memory.dmp

Filesize
32KB

Download
memory/4944-405-0x0000000006E80000-0x00000000074A8000-memory.dmp

Filesize
6.2MB

Download
memory/4944-401-0x0000000006810000-0x0000000006846000-memory.dmp

Filesize
216KB

Download
memory/4944-329-0x0000000000000000-mapping.dmp

Download
memory/4944-440-0x0000000008F40000-0x0000000008F73000-memory.dmp

Filesize
204KB

Download
memory/4944-428-0x0000000007E80000-0x0000000007EF6000-memory.dmp

Filesize
472KB

Download
memory/4944-425-0x00000000080B0000-0x00000000080FB000-memory.dmp

Filesize
300KB

Download