hawkeye | 231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631

Analysis

max time kernel
120s
max time network
54s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Size

999KB
MD5

fc5828552d2036dc60430b21253b5e44
SHA1

737cf33db7761061bd0774ebbd8976445cb98df1
SHA256

231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631
SHA512

9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f
SSDEEP

24576:ghyp66+rMAW4bzZJfkgmT6sGIcBRLYP64o:AypmA4bNJfkgm2sMBRLN4o

Score

10^/10

hawkeye collection discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Executes dropped EXE 4 IoCs

pid	Process
2900	CryptSvc.exe
2572	EFS.exe
2432	EFS.exe
448	CryptSvc.exe

Loads dropped DLL 3 IoCs

pid	Process
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2572	EFS.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	whatismyipaddress.com
4	whatismyipaddress.com
6	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 468 set thread context of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 set thread context of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 2572 set thread context of 2432	2572	EFS.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptSvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2900	CryptSvc.exe
2900	CryptSvc.exe
2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Token: SeDebugPrivilege	2900	CryptSvc.exe
Token: SeDebugPrivilege	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Token: SeDebugPrivilege	952	vbc.exe
Token: SeDebugPrivilege	1640	vbc.exe
Token: SeDebugPrivilege	2572	EFS.exe
Token: SeDebugPrivilege	448	CryptSvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 468	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	31
PID 2316 wrote to memory of 2900	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	32
PID 2316 wrote to memory of 2900	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	32
PID 2316 wrote to memory of 2900	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	32
PID 2316 wrote to memory of 2900	2316	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	32
PID 2900 wrote to memory of 2572	2900	CryptSvc.exe	33
PID 2900 wrote to memory of 2572	2900	CryptSvc.exe	33
PID 2900 wrote to memory of 2572	2900	CryptSvc.exe	33
PID 2900 wrote to memory of 2572	2900	CryptSvc.exe	33
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 952	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	35
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 468 wrote to memory of 1640	468	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	37
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 2432	2572	EFS.exe	39
PID 2572 wrote to memory of 448	2572	EFS.exe	40
PID 2572 wrote to memory of 448	2572	EFS.exe	40
PID 2572 wrote to memory of 448	2572	EFS.exe	40
PID 2572 wrote to memory of 448	2572	EFS.exe	40

C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
  "C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2432
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
321B

MD5
e62221a3bb549a72fcc4afa60d34e620

SHA1
d60b16b540e0e3ed459a30cce0678d1fc8a1989a

SHA256
587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95

SHA512
5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
321B

MD5
c3609e29395ccd5fd8407fed36414e75

SHA1
04c0c5dc3fcced0c5581c44af17fa60260fb591a

SHA256
a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857

SHA512
8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe

Filesize
8KB

MD5
e5cfadb65f5a6b27b6a559cb3c286b95

SHA1
f33ab26def2759aad5248cf1affa413777148584

SHA256
251b78d864900e3a2b6cc168463421e1bc4ca31bfcabe941b595989bda0e5314

SHA512
b833256eb469717036cd81673e6b4d2bfa00093955b3d202fcfade785f530c51ccb9c23d883f3d263b985996560f3e67d5c7df51963974b526c79f3ded043d9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
999KB

MD5
fc5828552d2036dc60430b21253b5e44

SHA1
737cf33db7761061bd0774ebbd8976445cb98df1

SHA256
231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631

SHA512
9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
3B

MD5
877a9ba7a98f75b90a9d49f53f15a858

SHA1
3977dced04b7d0c7bc81b01a3f4124e14c683b8e

SHA256
1e5ee5e58c8f490ae68e7e91b1575ebefc2bf6c211f302a553ff0c4925e85321

SHA512
8b952b0566752092c3e52ccba5dd3212b90b53ecf094f339fedb3380bfc94a1466aca388527c47105959ee72ddbfdb83308007b38a9c72d532ca84ac0ae47447

Download Submit
memory/468-10-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-14-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-11-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-40-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/468-8-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-20-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-23-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-16-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/468-30-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/468-31-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/468-42-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/468-6-0x0000000000450000-0x0000000000536000-memory.dmp

Filesize
920KB

Download
memory/468-41-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/952-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/952-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/952-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1640-61-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1640-51-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1640-52-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2316-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-3-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/2316-63-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-76-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2432-77-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2900-43-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-33-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2900-62-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download