hawkeye | 231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Size

999KB
MD5

fc5828552d2036dc60430b21253b5e44
SHA1

737cf33db7761061bd0774ebbd8976445cb98df1
SHA256

231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631
SHA512

9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f
SSDEEP

24576:ghyp66+rMAW4bzZJfkgmT6sGIcBRLYP64o:AypmA4bNJfkgm2sMBRLN4o

Score

10^/10

hawkeye collection discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye

Executes dropped EXE 4 IoCs

pid	Process
2112	CryptSvc.exe
2612	EFS.exe
1972	EFS.exe
2920	CryptSvc.exe

Loads dropped DLL 3 IoCs

pid	Process
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
2612	EFS.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
6	whatismyipaddress.com
7	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 2760 set thread context of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 set thread context of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2612 set thread context of 1972	2612	EFS.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe
1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
2112	CryptSvc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Token: SeDebugPrivilege	2112	CryptSvc.exe
Token: SeDebugPrivilege	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
Token: SeDebugPrivilege	2868	vbc.exe
Token: SeDebugPrivilege	1636	vbc.exe
Token: SeDebugPrivilege	2612	EFS.exe
Token: SeDebugPrivilege	2920	CryptSvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2760	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	28
PID 1860 wrote to memory of 2112	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	29
PID 1860 wrote to memory of 2112	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	29
PID 1860 wrote to memory of 2112	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	29
PID 1860 wrote to memory of 2112	1860	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	29
PID 2112 wrote to memory of 2612	2112	CryptSvc.exe	30
PID 2112 wrote to memory of 2612	2112	CryptSvc.exe	30
PID 2112 wrote to memory of 2612	2112	CryptSvc.exe	30
PID 2112 wrote to memory of 2612	2112	CryptSvc.exe	30
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 2868	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	34
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2760 wrote to memory of 1636	2760	231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe	36
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 1972	2612	EFS.exe	38
PID 2612 wrote to memory of 2920	2612	EFS.exe	39
PID 2612 wrote to memory of 2920	2612	EFS.exe	39
PID 2612 wrote to memory of 2920	2612	EFS.exe	39
PID 2612 wrote to memory of 2920	2612	EFS.exe	39

C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
"C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe
  "C:\Users\Admin\AppData\Local\Temp\231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1972
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
321B

MD5
e62221a3bb549a72fcc4afa60d34e620

SHA1
d60b16b540e0e3ed459a30cce0678d1fc8a1989a

SHA256
587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95

SHA512
5b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\holdermail.txt

Filesize
321B

MD5
c3609e29395ccd5fd8407fed36414e75

SHA1
04c0c5dc3fcced0c5581c44af17fa60260fb591a

SHA256
a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857

SHA512
8bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CryptSvc.exe

Filesize
8KB

MD5
e5cfadb65f5a6b27b6a559cb3c286b95

SHA1
f33ab26def2759aad5248cf1affa413777148584

SHA256
251b78d864900e3a2b6cc168463421e1bc4ca31bfcabe941b595989bda0e5314

SHA512
b833256eb469717036cd81673e6b4d2bfa00093955b3d202fcfade785f530c51ccb9c23d883f3d263b985996560f3e67d5c7df51963974b526c79f3ded043d9b

Download Submit
C:\Users\Admin\AppData\Roaming\pid.txt

Filesize
4B

MD5
b0bef4c9a6e50d43880191492d4fc827

SHA1
2650a12d36146ad4ab44ad4fc6bb77f59fa487f4

SHA256
5fff864d27239fa252f76a884f2d427362b8e758d654db16a80d4136a1dca2d2

SHA512
a1053810008990231b9c1a60703ca33ed2f97c0ed2971db8925161c73dd5cd020b1ec93dcbe5d328837c511451cc2bcf6c557bea273279b55413f36b89e18ee3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\EFS.exe

Filesize
999KB

MD5
fc5828552d2036dc60430b21253b5e44

SHA1
737cf33db7761061bd0774ebbd8976445cb98df1

SHA256
231eb8d1c2f39452977edb07c49276b0dd9886178d16daee32a8a59dac8a8631

SHA512
9eb22f7ed932371a8a083399cd4dc48daebbddb6daa5f547d07049ac89261b660c25265586800ac1644d74234712b8b37478d1111b0e34c8092ce65bf2cb008f

Download Submit
memory/1636-48-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1636-58-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1636-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1860-3-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-1-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-59-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-2-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1860-0-0x0000000074221000-0x0000000074222000-memory.dmp

Filesize
4KB

Download
memory/1972-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1972-72-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1972-73-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2760-12-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-31-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-16-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-15-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-6-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-23-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-37-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-30-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2760-10-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-20-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2760-8-0x0000000000080000-0x0000000000166000-memory.dmp

Filesize
920KB

Download
memory/2868-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2868-41-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2868-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2868-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download