hawkeye_reborn | ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
Size

1.0MB
MD5

e3666ecb82584556a39520ea0e788ccc
SHA1

5ef3da4d7acf44376974b903cc50b28763ab9cb7
SHA256

ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8
SHA512

39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42
SSDEEP

12288:DztihczmWgIXa7zeOnMcZ8xIrTalRi5HZMBp+Q4Azten/ibDAPpSNGYcycs9ozpd:DoIK/n9DTalRibMBp+Q4Aen/G

Score

10^/10

hawkeye_reborn m00nd3v_logger discovery infostealer keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Attributes

fields
name

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4408-32-0x0000000004D20000-0x0000000004D96000-memory.dmp	Nirsoft

M00nD3v Logger payload 2 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/2488-7-0x00000000058F0000-0x000000000599A000-memory.dmp	m00nd3v_logger
behavioral2/memory/4408-30-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4408-32-0x0000000004D20000-0x0000000004D96000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4408-32-0x0000000004D20000-0x0000000004D96000-memory.dmp	WebBrowserPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	windows.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	windows.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DsvHelper\\windows.lnk"	reg.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
60	bot.whatismyipaddress.com
20	bot.whatismyipaddress.com
40	bot.whatismyipaddress.com
53	bot.whatismyipaddress.com
59	bot.whatismyipaddress.com
35	bot.whatismyipaddress.com
44	bot.whatismyipaddress.com
47	bot.whatismyipaddress.com
55	bot.whatismyipaddress.com
21	bot.whatismyipaddress.com
36	bot.whatismyipaddress.com
48	bot.whatismyipaddress.com
43	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 3880	3652	windows.exe	97
PID 3652 set thread context of 4408	3652	windows.exe	98
PID 3652 set thread context of 5052	3652	windows.exe	103
PID 3652 set thread context of 4884	3652	windows.exe	104
PID 3652 set thread context of 2276	3652	windows.exe	107
PID 3652 set thread context of 2860	3652	windows.exe	108
PID 3652 set thread context of 1456	3652	windows.exe	109
PID 3652 set thread context of 2092	3652	windows.exe	110
PID 3652 set thread context of 2056	3652	windows.exe	111
PID 3652 set thread context of 3856	3652	windows.exe	112
PID 3652 set thread context of 4960	3652	windows.exe	113
PID 3652 set thread context of 1564	3652	windows.exe	114
PID 3652 set thread context of 5048	3652	windows.exe	115
PID 3652 set thread context of 1808	3652	windows.exe	116
PID 3652 set thread context of 2856	3652	windows.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3652	windows.exe
3652	windows.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe
3880	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	windows.exe
Token: SeDebugPrivilege	3880	RegAsm.exe
Token: SeDebugPrivilege	4408	MSBuild.exe
Token: SeDebugPrivilege	5052	MSBuild.exe
Token: SeDebugPrivilege	4884	MSBuild.exe
Token: SeDebugPrivilege	2276	MSBuild.exe
Token: SeDebugPrivilege	2860	MSBuild.exe
Token: SeDebugPrivilege	1456	MSBuild.exe
Token: SeDebugPrivilege	2092	MSBuild.exe
Token: SeDebugPrivilege	2056	MSBuild.exe
Token: SeDebugPrivilege	3856	MSBuild.exe
Token: SeDebugPrivilege	4960	MSBuild.exe
Token: SeDebugPrivilege	1564	MSBuild.exe
Token: SeDebugPrivilege	5048	MSBuild.exe
Token: SeDebugPrivilege	1808	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3652	2488	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	89
PID 2488 wrote to memory of 3652	2488	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	89
PID 2488 wrote to memory of 3652	2488	e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe	89
PID 3652 wrote to memory of 3544	3652	windows.exe	92
PID 3652 wrote to memory of 3544	3652	windows.exe	92
PID 3652 wrote to memory of 3544	3652	windows.exe	92
PID 3544 wrote to memory of 3152	3544	cmd.exe	95
PID 3544 wrote to memory of 3152	3544	cmd.exe	95
PID 3544 wrote to memory of 3152	3544	cmd.exe	95
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 3880	3652	windows.exe	97
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 4408	3652	windows.exe	98
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 5052	3652	windows.exe	103
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 4884	3652	windows.exe	104
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2276	3652	windows.exe	107
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 2860	3652	windows.exe	108
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109
PID 3652 wrote to memory of 1456	3652	windows.exe	109

C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3666ecb82584556a39520ea0e788ccc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.lnk" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
03214d9e080af5cbe7dd1a2aeb9e1e8a

SHA1
84964a1c84b57fda453928c80e140ae2e6fefca7

SHA256
2800551d4460fdb827a2274a8e5f59019ff6a1a1bfd3b4a4d26bceb68d88ef11

SHA512
37deb50e7043058a26a48199ee6a8ded7d4e74128e0e0ea1f5266475f838b8b0bf7577bbbe8816f282d674ec070e28f485a7609cef05b59ab2655aeec6d69620

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DsvHelper\windows.exe

Filesize
1.0MB

MD5
e3666ecb82584556a39520ea0e788ccc

SHA1
5ef3da4d7acf44376974b903cc50b28763ab9cb7

SHA256
ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8

SHA512
39c2c4aa953522dbf61fd3a3708fab917eeb729b3f851c3e71be6f4e254db215e32d3dc6b44965c106a1cc326a2a6ff84926e64d4978963cefea12ac583e4c42

Download Submit
memory/2488-1-0x0000000000890000-0x0000000000998000-memory.dmp

Filesize
1.0MB

Download
memory/2488-2-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/2488-4-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/2488-3-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2488-5-0x00000000056C0000-0x000000000575C000-memory.dmp

Filesize
624KB

Download
memory/2488-6-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/2488-7-0x00000000058F0000-0x000000000599A000-memory.dmp

Filesize
680KB

Download
memory/2488-23-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2488-0-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/3652-24-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3652-28-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/3652-33-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3652-34-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3652-25-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3856-47-0x0000000000470000-0x0000000000490000-memory.dmp

Filesize
128KB

Download
memory/3880-31-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/4408-30-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4408-32-0x0000000004D20000-0x0000000004D96000-memory.dmp

Filesize
472KB

Download
memory/4408-35-0x0000000005000000-0x0000000005066000-memory.dmp

Filesize
408KB

Download