Malware Analysis Report

2024-10-18 23:04

Sample ID 240116-xve3lahadk
Target 60a750362cc45cc0d799ae006dfec30c
SHA256 5670ca915b7269fcdfe6cbcd67f9369911421486b44d6a22b5682cd3267b89b8
Tags
ardamax discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5670ca915b7269fcdfe6cbcd67f9369911421486b44d6a22b5682cd3267b89b8

Threat Level: Known bad

The file 60a750362cc45cc0d799ae006dfec30c was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger stealer

Ardamax

Ardamax main executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-16 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 19:10

Reported

2024-01-16 19:12

Platform

win7-20231215-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Sys\Iexplore.007 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File opened for modification C:\Windows\SysWOW64\Sys C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.001 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.006 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2976 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60542247-0249-417D-949B-2F0CC7EE1165} C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60632754-c523-4b62-b45c-4172da012619} C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 2976 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0
PID 3036 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 C:\Windows\SysWOW64\Sys\Iexplore.exe
PID 3036 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 C:\Windows\SysWOW64\Sys\Iexplore.exe
PID 3036 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 C:\Windows\SysWOW64\Sys\Iexplore.exe
PID 3036 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 C:\Windows\SysWOW64\Sys\Iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

C:\Windows\SysWOW64\Sys\Iexplore.exe

"C:\Windows\system32\Sys\Iexplore.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Arm81C.tmp

MD5 e99a5f2bf65521137b0276146c2b493a
SHA1 8668f6adc2613bcd8b1403779a707466d4cc6174
SHA256 c000978738a9c544fd3d2689bc8017dd42fdbf9428ae9183c8742baf34dd96c4
SHA512 ddbbc88546f522f3d99f296ac4fb1fdd72e7f6604081ab17f0f16e065f69db01dd2f7b7d249904737d386db6006123dde2965234e36a497cd48394d13b4e758f

\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

MD5 34ab6e2ee19b3185a541fa1b16565852
SHA1 8ca0d8ba8f88415d2528f853b4de23331a7a6c2f
SHA256 a3fa3620830d33e00542aef51f4de03ae9f8556e1c4c9406a89707255f96b8a1
SHA512 94b6ab542030978a9e6f8bbd7d4392a27175704bf60b7048878b4a55d965479ea08e54fcf464fad3d98724f9d4eeecb061c80d787b9600544cf4674cada0e93a

\Users\Admin\AppData\Local\Temp\@973.tmp

MD5 a9680f653434b4766fdc2a3c592af879
SHA1 fd8e999c43fa83df3144aa5bbaae73bac3834296
SHA256 30e084f531980a35b79dd36ac9ee0022d0aba792da99b3d71eea26d327db9ad3
SHA512 685fe7bbaf9fe5d140f07e9fe0f1eff0cecf8a3a4d050fe917ce8eddac3394ab7b8cea575e2d6f3dace309716662fbb5a9016850b120ea2099a00cfc848f57ac

\Windows\SysWOW64\Sys\Iexplore.exe

MD5 4db1b69341dc88b901d85be34278a634
SHA1 0d55d2852a58b597c96c1dcec25efc961d882ba1
SHA256 c3f29e3f8b9eb7c20a0046fc105d2199dc5327a570e8c76908e44be1200fb893
SHA512 e11ee43c65179a562254cc63fda5c25ae228603bd88fd357faea2a5b49b4df11dfde5efe46544ac138d008cdffc419c793b35781ef201a9462a9eda30b52dee0

C:\Windows\SysWOW64\Sys\Iexplore.007

MD5 50c8c542dca77df82f5925b145567611
SHA1 64bdce386146e3548d3d85cf16fdd0d34cbafe2f
SHA256 0692f76ec589e517f0a5205e658ca44656322c0382cee2af53890324818b3e0f
SHA512 f7df5e9ac0c81f832e8dfe882eb1c4746f30131bef5a56947634146c813df079acd57b3fc954254684c6f4ef291802cd9629e6af3ced9be1f381fdd858a327c2

C:\Windows\SysWOW64\Sys\Iexplore.006

MD5 ff2bc313174a6ccfe1e0b5b1a58f0f49
SHA1 4e983cdee788faf6a13a9d5bf3f00f4a17dd6e8e
SHA256 f212c83897599d81f4010f1ef3a43e5709e874912072d38d26a5ef5644462318
SHA512 418083066ba5505267f4de91c9e439674e02645c430360dae22dfc390c33b4e0c01857634d1dcb5dc298c296a5f4130397388bceee2ad82ba0a711ab56d1bd0f

C:\Windows\SysWOW64\Sys\Iexplore.001

MD5 bdb0f21d4546c81767aac5d89b961feb
SHA1 ffe544f6060e8b1bf6e6209583826c0280ec550c
SHA256 e67c7bc6d66cb09ad483204bac53dab088a1df21b9d658525402180e4611b7f4
SHA512 e15d7035304725e928556e158ff33487b4d72adf410d2725d56b2529b47e801c303bf53ae75d6ac098a3f1f2b7c6e1d701d13d2fff3f99e8ba4b5f7a0e8a912e

memory/2724-34-0x0000000000480000-0x0000000000481000-memory.dmp

memory/2724-37-0x00000000770DF000-0x00000000770E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 19:10

Reported

2024-01-16 19:12

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Sys C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.001 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.006 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.007 C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A
File created C:\Windows\SysWOW64\Sys\Iexplore.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1392 set thread context of 3236 N/A C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12DD4DBB-532B-4FCE-8653-74CDB9C8FE5A} C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12E6F532-6A8B-419B-85DE-7925A9348E99} C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38B3C46A-FCD9-11D1-B2E4-0060975B8649} C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38B3C46A-FCD9-11D1-B2E4-0060975B8649}\TypeLib C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38B3C46A-FCD9-11D1-B2E4-0060975B8649}\TypeLib\ = "{4B6CA950-10B6-5525-D969-EE2EA7281FDC}" C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys\Iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

"C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.exe"

C:\Windows\SysWOW64\Sys\Iexplore.exe

"C:\Windows\system32\Sys\Iexplore.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 20.231.121.79:80 tcp
GB 96.17.178.185:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
PH 23.37.1.217:80 www.microsoft.com tcp
PH 23.37.1.217:80 www.microsoft.com tcp
US 8.8.8.8:53 217.1.37.23.in-addr.arpa udp
GB 96.17.178.185:80 tcp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp
GB 96.17.178.204:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Arm48FF.tmp

MD5 e99a5f2bf65521137b0276146c2b493a
SHA1 8668f6adc2613bcd8b1403779a707466d4cc6174
SHA256 c000978738a9c544fd3d2689bc8017dd42fdbf9428ae9183c8742baf34dd96c4
SHA512 ddbbc88546f522f3d99f296ac4fb1fdd72e7f6604081ab17f0f16e065f69db01dd2f7b7d249904737d386db6006123dde2965234e36a497cd48394d13b4e758f

C:\Users\Admin\AppData\Local\Temp\60a750362cc45cc0d799ae006dfec30c.TMP0

MD5 34ab6e2ee19b3185a541fa1b16565852
SHA1 8ca0d8ba8f88415d2528f853b4de23331a7a6c2f
SHA256 a3fa3620830d33e00542aef51f4de03ae9f8556e1c4c9406a89707255f96b8a1
SHA512 94b6ab542030978a9e6f8bbd7d4392a27175704bf60b7048878b4a55d965479ea08e54fcf464fad3d98724f9d4eeecb061c80d787b9600544cf4674cada0e93a

C:\Users\Admin\AppData\Local\Temp\@4B61.tmp

MD5 a9680f653434b4766fdc2a3c592af879
SHA1 fd8e999c43fa83df3144aa5bbaae73bac3834296
SHA256 30e084f531980a35b79dd36ac9ee0022d0aba792da99b3d71eea26d327db9ad3
SHA512 685fe7bbaf9fe5d140f07e9fe0f1eff0cecf8a3a4d050fe917ce8eddac3394ab7b8cea575e2d6f3dace309716662fbb5a9016850b120ea2099a00cfc848f57ac

C:\Windows\SysWOW64\Sys\Iexplore.exe

MD5 4db1b69341dc88b901d85be34278a634
SHA1 0d55d2852a58b597c96c1dcec25efc961d882ba1
SHA256 c3f29e3f8b9eb7c20a0046fc105d2199dc5327a570e8c76908e44be1200fb893
SHA512 e11ee43c65179a562254cc63fda5c25ae228603bd88fd357faea2a5b49b4df11dfde5efe46544ac138d008cdffc419c793b35781ef201a9462a9eda30b52dee0

C:\Windows\SysWOW64\Sys\Iexplore.007

MD5 50c8c542dca77df82f5925b145567611
SHA1 64bdce386146e3548d3d85cf16fdd0d34cbafe2f
SHA256 0692f76ec589e517f0a5205e658ca44656322c0382cee2af53890324818b3e0f
SHA512 f7df5e9ac0c81f832e8dfe882eb1c4746f30131bef5a56947634146c813df079acd57b3fc954254684c6f4ef291802cd9629e6af3ced9be1f381fdd858a327c2

C:\Windows\SysWOW64\Sys\Iexplore.006

MD5 ff2bc313174a6ccfe1e0b5b1a58f0f49
SHA1 4e983cdee788faf6a13a9d5bf3f00f4a17dd6e8e
SHA256 f212c83897599d81f4010f1ef3a43e5709e874912072d38d26a5ef5644462318
SHA512 418083066ba5505267f4de91c9e439674e02645c430360dae22dfc390c33b4e0c01857634d1dcb5dc298c296a5f4130397388bceee2ad82ba0a711ab56d1bd0f

C:\Windows\SysWOW64\Sys\Iexplore.001

MD5 bdb0f21d4546c81767aac5d89b961feb
SHA1 ffe544f6060e8b1bf6e6209583826c0280ec550c
SHA256 e67c7bc6d66cb09ad483204bac53dab088a1df21b9d658525402180e4611b7f4
SHA512 e15d7035304725e928556e158ff33487b4d72adf410d2725d56b2529b47e801c303bf53ae75d6ac098a3f1f2b7c6e1d701d13d2fff3f99e8ba4b5f7a0e8a912e

memory/4332-30-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/4332-37-0x0000000000A50000-0x0000000000A51000-memory.dmp