hawkeye | 7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Size

340KB
MD5

53dd759d56240beba49d6318b4e53197
SHA1

25f4afea4e8babc6d7774fcf08b48f3917f05ae8
SHA256

7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0
SHA512

61c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2
SSDEEP

6144:AyGXQhW1B4rVph3k4cSbgzs/rEpyrVRRelKHAK3g3UHYTvLRUQSOObAIAjgItE6a:PzGnvpDOB+jggTBtAyhKuD

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Deletes itself 1 IoCs

pid	Process
2028	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
2028	svchost.exe
2468	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2540	wmpmetwk.exe

Loads dropped DLL 7 IoCs

pid	Process
2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
2028	svchost.exe
2028	svchost.exe
2696	audiodgi.exe
2696	audiodgi.exe
2640	wmpmetwk.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-45-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-38-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-37-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-36-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-29-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-27-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-33-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2468-66-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 2468	2028	svchost.exe	29
PID 2640 set thread context of 2540	2640	wmpmetwk.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2804	reg.exe
2748	reg.exe
2144	reg.exe
2700	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe
2696	audiodgi.exe
2640	wmpmetwk.exe
2028	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Token: SeDebugPrivilege	2028	svchost.exe
Token: 1	2468	svchost.exe
Token: SeCreateTokenPrivilege	2468	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2468	svchost.exe
Token: SeLockMemoryPrivilege	2468	svchost.exe
Token: SeIncreaseQuotaPrivilege	2468	svchost.exe
Token: SeMachineAccountPrivilege	2468	svchost.exe
Token: SeTcbPrivilege	2468	svchost.exe
Token: SeSecurityPrivilege	2468	svchost.exe
Token: SeTakeOwnershipPrivilege	2468	svchost.exe
Token: SeLoadDriverPrivilege	2468	svchost.exe
Token: SeSystemProfilePrivilege	2468	svchost.exe
Token: SeSystemtimePrivilege	2468	svchost.exe
Token: SeProfSingleProcessPrivilege	2468	svchost.exe
Token: SeIncBasePriorityPrivilege	2468	svchost.exe
Token: SeCreatePagefilePrivilege	2468	svchost.exe
Token: SeCreatePermanentPrivilege	2468	svchost.exe
Token: SeBackupPrivilege	2468	svchost.exe
Token: SeRestorePrivilege	2468	svchost.exe
Token: SeShutdownPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeAuditPrivilege	2468	svchost.exe
Token: SeSystemEnvironmentPrivilege	2468	svchost.exe
Token: SeChangeNotifyPrivilege	2468	svchost.exe
Token: SeRemoteShutdownPrivilege	2468	svchost.exe
Token: SeUndockPrivilege	2468	svchost.exe
Token: SeSyncAgentPrivilege	2468	svchost.exe
Token: SeEnableDelegationPrivilege	2468	svchost.exe
Token: SeManageVolumePrivilege	2468	svchost.exe
Token: SeImpersonatePrivilege	2468	svchost.exe
Token: SeCreateGlobalPrivilege	2468	svchost.exe
Token: 31	2468	svchost.exe
Token: 32	2468	svchost.exe
Token: 33	2468	svchost.exe
Token: 34	2468	svchost.exe
Token: 35	2468	svchost.exe
Token: SeDebugPrivilege	2696	audiodgi.exe
Token: SeDebugPrivilege	2640	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2540	wmpmetwk.exe
2540	wmpmetwk.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2028	2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2028	2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2028	2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2028	2200	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2028 wrote to memory of 2468	2028	svchost.exe	29
PID 2468 wrote to memory of 544	2468	svchost.exe	30
PID 2468 wrote to memory of 544	2468	svchost.exe	30
PID 2468 wrote to memory of 544	2468	svchost.exe	30
PID 2468 wrote to memory of 544	2468	svchost.exe	30
PID 2468 wrote to memory of 936	2468	svchost.exe	31
PID 2468 wrote to memory of 936	2468	svchost.exe	31
PID 2468 wrote to memory of 936	2468	svchost.exe	31
PID 2468 wrote to memory of 936	2468	svchost.exe	31
PID 2468 wrote to memory of 2248	2468	svchost.exe	32
PID 2468 wrote to memory of 2248	2468	svchost.exe	32
PID 2468 wrote to memory of 2248	2468	svchost.exe	32
PID 2468 wrote to memory of 2248	2468	svchost.exe	32
PID 2468 wrote to memory of 2780	2468	svchost.exe	33
PID 2468 wrote to memory of 2780	2468	svchost.exe	33
PID 2468 wrote to memory of 2780	2468	svchost.exe	33
PID 2468 wrote to memory of 2780	2468	svchost.exe	33
PID 2028 wrote to memory of 2696	2028	svchost.exe	34
PID 2028 wrote to memory of 2696	2028	svchost.exe	34
PID 2028 wrote to memory of 2696	2028	svchost.exe	34
PID 2028 wrote to memory of 2696	2028	svchost.exe	34
PID 2696 wrote to memory of 2640	2696	audiodgi.exe	39
PID 2696 wrote to memory of 2640	2696	audiodgi.exe	39
PID 2696 wrote to memory of 2640	2696	audiodgi.exe	39
PID 2696 wrote to memory of 2640	2696	audiodgi.exe	39
PID 2780 wrote to memory of 2804	2780	cmd.exe	40
PID 2780 wrote to memory of 2804	2780	cmd.exe	40
PID 2780 wrote to memory of 2804	2780	cmd.exe	40
PID 2780 wrote to memory of 2804	2780	cmd.exe	40
PID 544 wrote to memory of 2748	544	cmd.exe	41
PID 544 wrote to memory of 2748	544	cmd.exe	41
PID 544 wrote to memory of 2748	544	cmd.exe	41
PID 544 wrote to memory of 2748	544	cmd.exe	41
PID 936 wrote to memory of 2144	936	cmd.exe	42
PID 936 wrote to memory of 2144	936	cmd.exe	42
PID 936 wrote to memory of 2144	936	cmd.exe	42
PID 936 wrote to memory of 2144	936	cmd.exe	42
PID 2248 wrote to memory of 2700	2248	cmd.exe	43
PID 2248 wrote to memory of 2700	2248	cmd.exe	43
PID 2248 wrote to memory of 2700	2248	cmd.exe	43
PID 2248 wrote to memory of 2700	2248	cmd.exe	43
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44
PID 2640 wrote to memory of 2540	2640	wmpmetwk.exe	44

C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2804
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
87B

MD5
e9c70a8ab240fb4e8164d67c7c24be2f

SHA1
ca12502f573c41b3c5ae53cded52d3e2cf93733e

SHA256
a0fa0d7ec90c910403f23b411361e9966d1ef081ea65194d0a723d4308a1e570

SHA512
eae6ff76e057dbaeb60882131d2593fa34a28c3a1787f5a002e572ca8067efa706e2e735b8661e61f88b742a71d7f724c7736410297c2bb9b7ad50075f1f22dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
7KB

MD5
6d283be2823b28d65301591c318cb91d

SHA1
eab65bfa634225d303a96d67f61223011f0c88ed

SHA256
ed40f7d336c87960d7e9ef7b70532f1636b160e7b30685b366eb503d59dbef57

SHA512
9eaa4369f653d98c04d3f192348be0dde5928cca693cf9c2bde190a0220c4b3c840126ac185a3a2a4b92cbaf74089c468919c861377deb34b842b5c233411abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
340KB

MD5
53dd759d56240beba49d6318b4e53197

SHA1
25f4afea4e8babc6d7774fcf08b48f3917f05ae8

SHA256
7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0

SHA512
61c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2

Download Submit
memory/2028-22-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-21-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-65-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-0-0x0000000074821000-0x0000000074822000-memory.dmp

Filesize
4KB

Download
memory/2200-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-4-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-18-0x0000000074820000-0x0000000074DCB000-memory.dmp

Filesize
5.7MB

Download
memory/2468-45-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-29-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-27-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-25-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2468-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2540-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download