hawkeye | 805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Size

478KB
MD5

d6f9fd8a8720a51076be8f7b25278d4b
SHA1

1ca7cce3fad42b219702975306f3d8e6d62cf6e6
SHA256

805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b
SHA512

0c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa
SSDEEP

12288:e9jBgFYsPt4Hp9ujwkSBv7Gz5dbMi8nPgOz6JQrrWM7vFnifpGZ1X3WAr+ybzxw4:erg7t4Hp9ujwkSBv7Gz5dbMi8nPgOz6Q

Score

10^/10

hawkeye discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Deletes itself 1 IoCs

pid	Process
1816	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1816	svchost.exe
2716	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe

Loads dropped DLL 7 IoCs

pid	Process
2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
1816	svchost.exe
1816	svchost.exe
2852	audiodgi.exe
2852	audiodgi.exe
2728	wmpmetwk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe"	audiodgi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 2716	1816	svchost.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpmetwk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2656	reg.exe
2612	reg.exe
2720	reg.exe
2772	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe
2852	audiodgi.exe
2728	wmpmetwk.exe
1816	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
Token: SeDebugPrivilege	1816	svchost.exe
Token: 1	2716	svchost.exe
Token: SeCreateTokenPrivilege	2716	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2716	svchost.exe
Token: SeLockMemoryPrivilege	2716	svchost.exe
Token: SeIncreaseQuotaPrivilege	2716	svchost.exe
Token: SeMachineAccountPrivilege	2716	svchost.exe
Token: SeTcbPrivilege	2716	svchost.exe
Token: SeSecurityPrivilege	2716	svchost.exe
Token: SeTakeOwnershipPrivilege	2716	svchost.exe
Token: SeLoadDriverPrivilege	2716	svchost.exe
Token: SeSystemProfilePrivilege	2716	svchost.exe
Token: SeSystemtimePrivilege	2716	svchost.exe
Token: SeProfSingleProcessPrivilege	2716	svchost.exe
Token: SeIncBasePriorityPrivilege	2716	svchost.exe
Token: SeCreatePagefilePrivilege	2716	svchost.exe
Token: SeCreatePermanentPrivilege	2716	svchost.exe
Token: SeBackupPrivilege	2716	svchost.exe
Token: SeRestorePrivilege	2716	svchost.exe
Token: SeShutdownPrivilege	2716	svchost.exe
Token: SeDebugPrivilege	2716	svchost.exe
Token: SeAuditPrivilege	2716	svchost.exe
Token: SeSystemEnvironmentPrivilege	2716	svchost.exe
Token: SeChangeNotifyPrivilege	2716	svchost.exe
Token: SeRemoteShutdownPrivilege	2716	svchost.exe
Token: SeUndockPrivilege	2716	svchost.exe
Token: SeSyncAgentPrivilege	2716	svchost.exe
Token: SeEnableDelegationPrivilege	2716	svchost.exe
Token: SeManageVolumePrivilege	2716	svchost.exe
Token: SeImpersonatePrivilege	2716	svchost.exe
Token: SeCreateGlobalPrivilege	2716	svchost.exe
Token: 31	2716	svchost.exe
Token: 32	2716	svchost.exe
Token: 33	2716	svchost.exe
Token: 34	2716	svchost.exe
Token: 35	2716	svchost.exe
Token: SeDebugPrivilege	2852	audiodgi.exe
Token: SeDebugPrivilege	2728	wmpmetwk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1816	2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1816	2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1816	2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1816	2520	d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe	30
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 1816 wrote to memory of 2716	1816	svchost.exe	31
PID 2716 wrote to memory of 2760	2716	svchost.exe	32
PID 2716 wrote to memory of 2760	2716	svchost.exe	32
PID 2716 wrote to memory of 2760	2716	svchost.exe	32
PID 2716 wrote to memory of 2760	2716	svchost.exe	32
PID 2716 wrote to memory of 2912	2716	svchost.exe	33
PID 2716 wrote to memory of 2912	2716	svchost.exe	33
PID 2716 wrote to memory of 2912	2716	svchost.exe	33
PID 2716 wrote to memory of 2912	2716	svchost.exe	33
PID 2716 wrote to memory of 2932	2716	svchost.exe	35
PID 2716 wrote to memory of 2932	2716	svchost.exe	35
PID 2716 wrote to memory of 2932	2716	svchost.exe	35
PID 2716 wrote to memory of 2932	2716	svchost.exe	35
PID 2716 wrote to memory of 3048	2716	svchost.exe	36
PID 2716 wrote to memory of 3048	2716	svchost.exe	36
PID 2716 wrote to memory of 3048	2716	svchost.exe	36
PID 2716 wrote to memory of 3048	2716	svchost.exe	36
PID 1816 wrote to memory of 2852	1816	svchost.exe	40
PID 1816 wrote to memory of 2852	1816	svchost.exe	40
PID 1816 wrote to memory of 2852	1816	svchost.exe	40
PID 1816 wrote to memory of 2852	1816	svchost.exe	40
PID 2760 wrote to memory of 2720	2760	cmd.exe	42
PID 2760 wrote to memory of 2720	2760	cmd.exe	42
PID 2760 wrote to memory of 2720	2760	cmd.exe	42
PID 2760 wrote to memory of 2720	2760	cmd.exe	42
PID 2912 wrote to memory of 2772	2912	cmd.exe	41
PID 2912 wrote to memory of 2772	2912	cmd.exe	41
PID 2912 wrote to memory of 2772	2912	cmd.exe	41
PID 2912 wrote to memory of 2772	2912	cmd.exe	41
PID 2932 wrote to memory of 2656	2932	cmd.exe	43
PID 2932 wrote to memory of 2656	2932	cmd.exe	43
PID 2932 wrote to memory of 2656	2932	cmd.exe	43
PID 2932 wrote to memory of 2656	2932	cmd.exe	43
PID 3048 wrote to memory of 2612	3048	cmd.exe	44
PID 3048 wrote to memory of 2612	3048	cmd.exe	44
PID 3048 wrote to memory of 2612	3048	cmd.exe	44
PID 3048 wrote to memory of 2612	3048	cmd.exe	44
PID 2852 wrote to memory of 2728	2852	audiodgi.exe	45
PID 2852 wrote to memory of 2728	2852	audiodgi.exe	45
PID 2852 wrote to memory of 2728	2852	audiodgi.exe	45
PID 2852 wrote to memory of 2728	2852	audiodgi.exe	45
PID 2728 wrote to memory of 2464	2728	wmpmetwk.exe	46
PID 2728 wrote to memory of 2464	2728	wmpmetwk.exe	46
PID 2728 wrote to memory of 2464	2728	wmpmetwk.exe	46
PID 2728 wrote to memory of 2464	2728	wmpmetwk.exe	46

C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6f9fd8a8720a51076be8f7b25278d4b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2612
- - C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe
        5⤵
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
608ba18769d8c39ed93483afbe8d6779

SHA1
aabaea18ef0da2077f38d57f2c7ccbb31581e9b1

SHA256
390ccf980135935b1fd0ced301caa8468eb96f466f3570c615588e7e4fdbfd25

SHA512
aec4974218a32f93b45426a6fc704544fec22287e805756a83960577c42ff9e8faa0af3cb42a17a00bebca99e14b01925185c364cfdf46fb991d415dc8be4d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe

Filesize
10KB

MD5
83ce94edcf6b43e60e467a9f22705d3e

SHA1
0a3738cbee68a53e8d5e93f83d5b633f8ae95232

SHA256
558224443ed55cc3efc377ff06ba86ef2d4c910da4d3d47c590377c487c1d63f

SHA512
51675f7143d6666452dc231ffc03e0dab642f2c2c8a3d61dc567beec825ea52d45513243ea81d3873d44a66b8d7a1340f0b6e5ecac741c29d01813de8631d383

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
478KB

MD5
d6f9fd8a8720a51076be8f7b25278d4b

SHA1
1ca7cce3fad42b219702975306f3d8e6d62cf6e6

SHA256
805d22047aa58968b27b172380eef58877f5b96177d21c77e3dd16fe891bce0b

SHA512
0c973ce58e4aa0645f6b5f193e91e5e356a3956e08f054a08b44b41759bc383c3c60f9c0f5bc3db2225fd9a3097e945fc88e6c1e42c12cc0b31612219a5b69aa

Download Submit
memory/1816-50-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-22-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-23-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-21-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-18-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-0-0x0000000074911000-0x0000000074912000-memory.dmp

Filesize
4KB

Download
memory/2520-4-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-1-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-34-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2716-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2716-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2716-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2716-51-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download