hawkeye | 7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Size

340KB
MD5

53dd759d56240beba49d6318b4e53197
SHA1

25f4afea4e8babc6d7774fcf08b48f3917f05ae8
SHA256

7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0
SHA512

61c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2
SSDEEP

6144:AyGXQhW1B4rVph3k4cSbgzs/rEpyrVRRelKHAK3g3UHYTvLRUQSOObAIAjgItE6a:PzGnvpDOB+jggTBtAyhKuD

Score

10^/10

hawkeye evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	audiodgi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	audiodgi.exe

Deletes itself 1 IoCs

pid	Process
3640	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
3640	svchost.exe
1116	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
864	wmpmetwk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1116-27-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1116-28-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1116-26-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/1116-23-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3640 set thread context of 1116	3640	svchost.exe	88
PID 4592 set thread context of 864	4592	wmpmetwk.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5048	864	WerFault.exe	103

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1004	reg.exe
544	reg.exe
2100	reg.exe
3108	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe
4600	audiodgi.exe
4592	wmpmetwk.exe
3640	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
Token: SeDebugPrivilege	3640	svchost.exe
Token: 1	1116	svchost.exe
Token: SeCreateTokenPrivilege	1116	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1116	svchost.exe
Token: SeLockMemoryPrivilege	1116	svchost.exe
Token: SeIncreaseQuotaPrivilege	1116	svchost.exe
Token: SeMachineAccountPrivilege	1116	svchost.exe
Token: SeTcbPrivilege	1116	svchost.exe
Token: SeSecurityPrivilege	1116	svchost.exe
Token: SeTakeOwnershipPrivilege	1116	svchost.exe
Token: SeLoadDriverPrivilege	1116	svchost.exe
Token: SeSystemProfilePrivilege	1116	svchost.exe
Token: SeSystemtimePrivilege	1116	svchost.exe
Token: SeProfSingleProcessPrivilege	1116	svchost.exe
Token: SeIncBasePriorityPrivilege	1116	svchost.exe
Token: SeCreatePagefilePrivilege	1116	svchost.exe
Token: SeCreatePermanentPrivilege	1116	svchost.exe
Token: SeBackupPrivilege	1116	svchost.exe
Token: SeRestorePrivilege	1116	svchost.exe
Token: SeShutdownPrivilege	1116	svchost.exe
Token: SeDebugPrivilege	1116	svchost.exe
Token: SeAuditPrivilege	1116	svchost.exe
Token: SeSystemEnvironmentPrivilege	1116	svchost.exe
Token: SeChangeNotifyPrivilege	1116	svchost.exe
Token: SeRemoteShutdownPrivilege	1116	svchost.exe
Token: SeUndockPrivilege	1116	svchost.exe
Token: SeSyncAgentPrivilege	1116	svchost.exe
Token: SeEnableDelegationPrivilege	1116	svchost.exe
Token: SeManageVolumePrivilege	1116	svchost.exe
Token: SeImpersonatePrivilege	1116	svchost.exe
Token: SeCreateGlobalPrivilege	1116	svchost.exe
Token: 31	1116	svchost.exe
Token: 32	1116	svchost.exe
Token: 33	1116	svchost.exe
Token: 34	1116	svchost.exe
Token: 35	1116	svchost.exe
Token: SeDebugPrivilege	4600	audiodgi.exe
Token: SeDebugPrivilege	4592	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1116	svchost.exe
1116	svchost.exe
1116	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3640	1556	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	87
PID 1556 wrote to memory of 3640	1556	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	87
PID 1556 wrote to memory of 3640	1556	53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe	87
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 3640 wrote to memory of 1116	3640	svchost.exe	88
PID 1116 wrote to memory of 1404	1116	svchost.exe	89
PID 1116 wrote to memory of 1404	1116	svchost.exe	89
PID 1116 wrote to memory of 1404	1116	svchost.exe	89
PID 1116 wrote to memory of 5080	1116	svchost.exe	90
PID 1116 wrote to memory of 5080	1116	svchost.exe	90
PID 1116 wrote to memory of 5080	1116	svchost.exe	90
PID 1116 wrote to memory of 3696	1116	svchost.exe	91
PID 1116 wrote to memory of 3696	1116	svchost.exe	91
PID 1116 wrote to memory of 3696	1116	svchost.exe	91
PID 1116 wrote to memory of 1304	1116	svchost.exe	92
PID 1116 wrote to memory of 1304	1116	svchost.exe	92
PID 1116 wrote to memory of 1304	1116	svchost.exe	92
PID 1404 wrote to memory of 2100	1404	cmd.exe	97
PID 1404 wrote to memory of 2100	1404	cmd.exe	97
PID 1404 wrote to memory of 2100	1404	cmd.exe	97
PID 3696 wrote to memory of 3108	3696	cmd.exe	98
PID 3696 wrote to memory of 3108	3696	cmd.exe	98
PID 3696 wrote to memory of 3108	3696	cmd.exe	98
PID 1304 wrote to memory of 544	1304	cmd.exe	99
PID 1304 wrote to memory of 544	1304	cmd.exe	99
PID 1304 wrote to memory of 544	1304	cmd.exe	99
PID 5080 wrote to memory of 1004	5080	cmd.exe	100
PID 5080 wrote to memory of 1004	5080	cmd.exe	100
PID 5080 wrote to memory of 1004	5080	cmd.exe	100
PID 3640 wrote to memory of 4600	3640	svchost.exe	101
PID 3640 wrote to memory of 4600	3640	svchost.exe	101
PID 3640 wrote to memory of 4600	3640	svchost.exe	101
PID 4600 wrote to memory of 4592	4600	audiodgi.exe	102
PID 4600 wrote to memory of 4592	4600	audiodgi.exe	102
PID 4600 wrote to memory of 4592	4600	audiodgi.exe	102
PID 4592 wrote to memory of 864	4592	wmpmetwk.exe	103
PID 4592 wrote to memory of 864	4592	wmpmetwk.exe	103
PID 4592 wrote to memory of 864	4592	wmpmetwk.exe	103
PID 4592 wrote to memory of 864	4592	wmpmetwk.exe	103

C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53dd759d56240beba49d6318b4e53197_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:544
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Adds policy Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        Executes dropped EXE
        
        PID:864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 80
        6⤵
        Program crash
        
        PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 864 -ip 864
1⤵
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
87B

MD5
e9c70a8ab240fb4e8164d67c7c24be2f

SHA1
ca12502f573c41b3c5ae53cded52d3e2cf93733e

SHA256
a0fa0d7ec90c910403f23b411361e9966d1ef081ea65194d0a723d4308a1e570

SHA512
eae6ff76e057dbaeb60882131d2593fa34a28c3a1787f5a002e572ca8067efa706e2e735b8661e61f88b742a71d7f724c7736410297c2bb9b7ad50075f1f22dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
7KB

MD5
6d283be2823b28d65301591c318cb91d

SHA1
eab65bfa634225d303a96d67f61223011f0c88ed

SHA256
ed40f7d336c87960d7e9ef7b70532f1636b160e7b30685b366eb503d59dbef57

SHA512
9eaa4369f653d98c04d3f192348be0dde5928cca693cf9c2bde190a0220c4b3c840126ac185a3a2a4b92cbaf74089c468919c861377deb34b842b5c233411abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
340KB

MD5
53dd759d56240beba49d6318b4e53197

SHA1
25f4afea4e8babc6d7774fcf08b48f3917f05ae8

SHA256
7904257af820db24fcf0cba9fe6cd156eecd2a99c4b837f5807660d2c13b5fb0

SHA512
61c4e0b2348317efa48905e6918040775269022d052af5f805a45670710fa1259606011e08b434ffe4ebdea58dc95b6a053f2af9d0539f4e119cd5bbca5924d2

Download Submit
memory/1116-27-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1116-28-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1116-26-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1116-23-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1556-0-0x0000000074DB2000-0x0000000074DB3000-memory.dmp

Filesize
4KB

Download
memory/1556-18-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/1556-1-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3640-17-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3640-21-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download
memory/3640-38-0x0000000074DB0000-0x0000000075361000-memory.dmp

Filesize
5.7MB

Download